[2024年05月] 検証済みPECB試験問題集でISO-IEC-27001-Lead-Auditor試験学習ガイド
ベスト品質のPECB ISO-IEC-27001-Lead-Auditor試験解答リアル練習試験問題集で[2024]
PECB ISO-IEC-27001-LEAD-Auditor認定試験は、情報セキュリティシステムの監査と管理に焦点を当てた国際的に認められた試験です。この認定は、ISO/IEC 27001規格に対して組織の情報セキュリティ管理システム(ISM)の監査と評価に関心のある専門家向けです。
質問 # 45
Your organisation is currently seeking ISO/IEC27001:2022 certification. You have just qualified as an Internal ISMS auditor and the ICT Manager wants to use your newly acquired knowledge to assist him with the design of an information security incident management process.
He identifies the following stages in his planned process and asks you to confirm which order they should appear in.
正解:
解説:
Explanation
Step 1 = Incident logging Step 2 = Incident categorisation Step 3 = Incident prioritisation Step 4 = Incident assignment Step 5 = Task creation and management Step 6 = SLA management and escalation Step 7 = Incident resolution Step 8 = Incident closure The order of the stages in the information security incident management process should follow a logical sequence that ensures a quick, effective, and orderly response to the incidents, events, and weaknesses. The order should also be consistent with the best practices and guidance provided by ISO/IEC 27001:2022 and ISO/IEC 27035:2022. Therefore, the following order is suggested:
* Step 1 = Incident logging: This step involves recording the details of the potential incident, event, or weakness, such as the date, time, source, description, impact, and reporter. This step is important to provide a traceable record of the incident and to facilitate the subsequent analysis and response. This step is related to control A.16.1.1 of ISO/IEC 27001:2022, which requires the organization to establish responsibilities and procedures for the management of information security incidents, events, and weaknesses. This step is also related to clause 6.2 of ISO/IEC 27035:2022, which provides guidance on how to log the incidents, events, and weaknesses.
* Step 2 = Incident categorisation: This step involves determining the type and nature of the incident, event, or weakness, such as whether it is a hardware issue, network issue, or software issue. This step is important to classify the incident and to assign it to the appropriate resolver or team. This step is related to control A.16.1.2 of ISO/IEC 27001:2022, which requires the organization to report information
* security events and weaknesses as quickly as possible through appropriate management channels. This step is also related to clause 6.3 of ISO/IEC 27035:2022, which provides guidance on how to categorize the incidents, events, and weaknesses.
* Step 3 = Incident prioritisation: This step involves assessing the severity and urgency of the incident, event, or weakness, and classifying it as critical, high, medium, or low. This step is important to prioritize the incident and to allocate the necessary resources and time for the response. This step is related to control A.16.1.3 of ISO/IEC 27001:2022, which requires the organization to assess and prioritize information security events and weaknesses in accordance with the defined criteria. This step is also related to clause 6.4 of ISO/IEC 27035:2022, which provides guidance on how to prioritize the incidents, events, and weaknesses.
* Step 4 = Incident assignment: This step involves passing the incident, event, or weakness to the individual or team who is best suited to resolve it, based on their skills, knowledge, and availability.
This step is important to ensure that the incident is handled by the right person or team and to avoid delays or confusion. This step is related to control A.16.1.4 of ISO/IEC 27001:2022, which requires the organization to respond to information security events and weaknesses in a timely manner, according to the agreed procedures. This step is also related to clause 6.5 of ISO/IEC 27035:2022, which provides guidance on how to assign the incidents, events, and weaknesses.
* Step 5 = Task creation and management: This step involves identifying and coordinating the work needed to resolve the incident, event, or weakness, such as performing root cause analysis, testing solutions, implementing changes, and documenting actions. This step is important to ensure that the incident is resolved effectively and efficiently, and that the actions are tracked and controlled. This step is related to control A.16.1.5 of ISO/IEC 27001:2022, which requires the organization to apply lessons learned from information security events and weaknesses to take corrective and preventive actions. This step is also related to clause 6.6 of ISO/IEC 27035:2022, which provides guidance on how to create and manage the tasks for the incidents, events, and weaknesses.
* Step 6 = SLA management and escalation: This step involves ensuring that any service level agreements (SLAs) are adhered to while the resolution is being implemented, and that the incident is escalated to a higher level of authority or support if a breach looks likely or occurs. This step is important to ensure that the incident is resolved within the agreed time frame and quality, and that any deviations or issues are communicated and addressed. This step is related to control A.16.1.6 of ISO/IEC 27001:2022, which requires the organization to communicate information security events and weaknesses to the relevant internal and external parties, as appropriate. This step is also related to clause 6.7 of ISO/IEC
27035:2022, which provides guidance on how to manage the SLAs and escalations for the incidents, events, and weaknesses.
* Step 7 = Incident resolution: This step involves applying a temporary workaround or a permanent solution to resolve the incident, event, or weakness, and restoring the normal operation of the information and information processing facilities. This step is important to ensure that the incident is resolved completely and satisfactorily, and that the information security is restored to the desired level.
This step is related to control A.16.1.7 of ISO/IEC 27001:2022, which requires the organization to identify the cause of information security events and weaknesses, and to take actions to prevent their recurrence or occurrence. This step is also related to clause 6.8 of ISO/IEC 27035:2022, which provides guidance on how to resolve the incidents, events, and weaknesses.
* Step 8 = Incident closure: This step involves closing the incident, event, or weakness, after verifying that it has been resolved satisfactorily, and that all the actions have been completed and documented.
This step is important to ensure that the incident is formally closed and that no further actions are
* required. This step is related to control A.16.1.8 of ISO/IEC 27001:2022, which requires the organization to collect evidence and document the information security events and weaknesses, and the actions taken. This step is also related to clause 6.9 of ISO/IEC 27035:2022, which provides guidance on how to close the incidents, events, and weaknesses.
References:
* ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements1
* PECB Candidate Handbook ISO/IEC 27001 Lead Auditor2
* ISO 27001:2022 Lead Auditor - PECB3
* ISO 27001:2022 certified ISMS lead auditor - Jisc4
* ISO/IEC 27001:2022 Lead Auditor Transition Training Course5
* ISO 27001 - Information Security Lead Auditor Course - PwC Training Academy6
* ISO/IEC 27035:2022, Information technology - Security techniques - Information security incident management
質問 # 46
Select the correct sequence for the information security risk assessment process in an ISMS.
To complete the sequence click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the options to the appropriate blank
正解:
解説:
Explanation:
A group of black text Description automatically generated
According to ISO 27001:2022, the standard for information security management systems (ISMS), the correct sequence for the information security risk assessment process is as follows:
* Establish information security criteria
* Identify the information security risks
* Analyse the information security risks
* Evaluate the information security risks
The first step is to establish the information security criteria, which include the risk assessment methodology, the risk acceptance criteria, and the risk evaluation criteria. These criteria define how the organization will perform the risk assessment, what level of risk is acceptable, and how the risks will be compared and prioritized.
The second step is to identify the information security risks, which involve identifying the assets, threats, vulnerabilities, and existing controls that are relevant to the ISMS. The organization should also identify the potential consequences and likelihood of each risk scenario.
The third step is to analyse the information security risks, which involve estimating the level of risk for each risk scenario based on the criteria established in the first step. The organization should also consider the sources of uncertainty and the confidence level of the risk estimation.
The fourth step is to evaluate the information security risks, which involve comparing the estimated risk levels with the risk acceptance criteria and determining whether the risks are acceptable or need treatment. The organization should also prioritize the risks based on the risk evaluation criteria and the objectives of the ISMS.
References: ISO 27001:2022 Clause 6.1.2 Information security risk assessment, ISO 27001 Risk Assessment
& Risk Treatment: The Complete Guide - Advisera, ISO 27001 Risk Assessment: 7 Step Guide - IT Governance UK Blog
質問 # 47
The following options are key actions involved in a first-party audit. Order the stages to show the sequence in which the actions should take place.
正解:
解説:

質問 # 48
What is social engineering?
- A. The organization planning an activity for welfare of the neighborhood
- B. A group planning for a social activity in the organization
- C. Creating a situation wherein a third party gains confidential information from you
正解:C
解説:
Explanation
Social engineering is a technique that involves creating a situation wherein a third party gains confidential information from you by manipulating your trust or exploiting your weaknesses. Social engineering can take various forms, such as phishing emails, phone calls, impersonation, or baiting. Social engineering is a common threat to information security, as it targets the human factor rather than the technical defenses. References: :
CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 26. : ISO/IEC 27001 LEAD AUDITOR
- PECB, page 13.
質問 # 49
What would be the reference for you to know who should have access to data/document?
- A. Information Rights Management (IRM)
- B. Access Control List (ACL)
- C. Masterlist of Project Records (MLPR)
- D. Data Classification Label
正解:B
解説:
Explanation
The reference for you to know who should have access to data/document is the Access Control List (ACL), which is a list of users or groups who are authorized to access a specific data/document and their respective access rights (such as read, write, modify, delete, etc.). The ACL is a tool for implementing the access control policy of the organization, which is defined in accordance with ISO/IEC 27001:2022 clause 9.4.1. The ACL should be maintained and updated regularly to ensure that only authorized users can access the data/document. References: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course],
[ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements]
質問 # 50
You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC 27001, and they want to make sure they audit the control correctly.
They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.
Which three of the following options represent valid audit trails?
- A. I will review how information relating to information security threats is collected and evaluated to produce threat intelligence
- B. I will speak to top management to make sure all staff are aware of the importance of reporting threats
- C. I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets
- D. I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements
- E. I will review the organisation's threat intelligence process and will ensure that this is fully documented
- F. I will determine whether internal and external sources of information are used in the production of threat intelligence
- G. I will ensure that the organisation's risk assessment process begins with effective threat intelligence
- H. I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team
正解:C、E、F
解説:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control 5.7 requires an organization to establish and maintain a threat intelligence process to identify and evaluate information security threats that are relevant to its ISMS scope and objectives1. The organization should use internal and external sources of information, such as vulnerability databases, threat feeds, industry reports, etc., to produce threat intelligence that can be used to support risk assessment and treatment, as well as other information security activities1. Therefore, when auditing the organization's application of control 5.7, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.
Three options that represent valid audit trails for verifying control 5.7 are:
I will review the organisation's threat intelligence process and will ensure that this is fully documented: This option is valid because it can provide evidence of how the organization has established and maintained a threat intelligence process that is consistent with its ISMS scope and objectives. It can also verify that the process is documented according to clause 7.5 of ISO/IEC 27001:20221.
I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets: This option is valid because it can provide evidence of how the organization has used threat intelligence to support its risk assessment and treatment, as well as other information security activities, such as incident response, awareness, or monitoring. It can also verify that the organization has achieved its information security objectives according to clause 6.2 of ISO/IEC 27001:20221.
I will determine whether internal and external sources of information are used in the production of threat intelligence: This option is valid because it can provide evidence of how the organization has used various sources of information, such as vulnerability databases, threat feeds, industry reports, etc., to produce threat intelligence that is relevant and reliable. It can also verify that the organization has complied with the requirement of control 5.7 of ISO/IEC 27001:20221.
The other options are not valid audit trails for verifying control 5.7, as they are not related to the control or its requirements. For example:
I will speak to top management to make sure all staff are aware of the importance of reporting threats: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding information security awareness or communication, but not specifically to control 5.7.
I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also contradict the requirement for auditor independence and objectivity, as recommended by ISO 19011:20182, which provides guidelines for auditing management systems.
I will ensure that the organisation's risk assessment process begins with effective threat intelligence: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also imply a prescriptive approach to risk assessment that is not consistent with ISO/IEC 27005:20183, which provides guidelines for information security risk management.
I will review how information relating to information security threats is collected and evaluated to produce threat intelligence: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also be too vague or broad to be an effective audit trail, as it does not specify what criteria or methods are used for collecting and evaluating information.
I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding management review or performance evaluation, but not specifically to control 5.7.
質問 # 51
You are an experienced ISMS audit team leader providing guidance to an auditor in training.
The auditor in training appears to be confused about the interpretation of competence in ISO 27001:2022 and is seeking clarification from you that his understanding is correct. He sets out a series of mini scenarios and asks you which of these you would attribute to a lack of competence. Select four correct options.
- A. A senior programmer did not check their coding for errors as they were running late for a doctor's appointment
- B. A new starter was unable to switch on CCTV monitoring because they had not been shown how to do this
- C. An IT technician failed to configure a new model of server correctly as a result of not reading the supplied instructions
- D. A senior manager could not assist in the organisation's information security incident recovery process as she had not received the required training
- E. A data centre operator inadvertently placed a backup tape into an incorrect drive because they were in a hurry to move on to another task
- F. A system administrator deleted two live accounts as well as five redundant accounts as a result of receiving an incorrect instruction
- G. An employee recently transferred from the IT networks team to Software development was unaware of the need to complete product release forms prior to shipping
- H. An experienced receptionist allowed a contractor she recognised to enter the data centre without his access card
正解:B、C、D、G
解説:
Explanation
These four scenarios are examples of a lack of competence, which is defined as the ability to apply the knowledge and skills needed to perform a work role or a task effectively and efficiently12. Competence in ISO
27001:2022 is determined by the organisation's needs and expectations, and it is based on the relevant education, training, or experience of the people involved in the ISMS34. The organisation is required to ensure that all the people who affect the performance of the ISMS are competent, and to provide them with the necessary training and awareness to fulfil their roles and responsibilities35. The four scenarios indicate that the people involved either lack the knowledge or skills to perform their tasks, or have not received the appropriate training or guidance to do so. The other scenarios are not related to competence, but to other factors such as negligence, error, or policy violation.
References: = 1: ISO 19011:2018 Guidelines for auditing management systems, clause 3.72: ISO/IEC
27007:2011 Information technology - Security techniques - Guidelines for information security management systems auditing, clause 53: ISO/IEC 27001:2022 Information technology - Security techniques
- Information security management systems - Requirements, clause 7.24: ISO 27001 Requirement 7.2 - Competence | ISMS.online15: ISO27001 Clause 7.2 Competence - Ultimate Certification Guide - High Table3
質問 # 52
You are performing an ISMS audit at a residential nursing home that provides healthcare services and are reviewing the Software Code Management (SCM) system. You found a total of 10 user accounts on the SCM.
You confirm that one of the users, Scott, resigned 9-months
ago. The SCM System Administrator confirmed Scott's last check-out of the source code was found 1 month ago. He was using one of the uthorized desktops from the local network in a secure area.
You check with the user de-registration procedure which states "Managers have to make sure of deregistration of the user account and authorisation immediately from the relevant ICT system and/or equipment after resignation approval." There was no deregistration record for user Scott.
The IT Security Manager explains that Scott still comes back to the office every month after he resigned to provide support on source code maintenance. That's why his account on SCM still exists.
You would like to investigate other areas further to collect more audit evidence. Select three options that would not be valid audit trails.
- A. Collect more evidence on how Scott can access the secure area. (Relevant to control A.8.4)
- B. Collect more evidence on how the transition of Scott from full-time to part-time employment was managed (relevant to control A.6.5)
- C. Collect more evidence on how Scott can access the employee's desktop and local network. (Relevant to control A.5.15)
- D. Collect more evidence from Scott's background verification checks performed by the human resource department under the new employment relationship. (Relevant to control A.6.1)
- E. Collect more evidence of why Scott resigned and whether his re-engagement represents a conflict of interest. (relevant to control A.5.3)
- F. Collect more evidence on how access controls are periodically reviewed to maintain security (Relevant to control A.5.35)
- G. Collect more evidence on where Scott kept the source code that he checked out and how it was secured.
(Relevant to control A.8.4) - H. Collect more evidence on how the organization pays for Scott's source code maintenance support service. (Relevant to control A.6.2)
正解:B、E、H
解説:
Explanation
The options B, D, and G are not valid audit trails because they are not directly related to the ISMS requirements or the audit criteria. They are more relevant to the human resource management or the contractual arrangements of the organization, which are outside the scope of the ISMS audit. The other options are valid audit trails because they can provide evidence of how the organization implements and maintains the ISMS controls related to access control, secure areas, and information security aspects of business continuity management. References:
* PECB Candidate Handbook ISO/IEC 27001 Lead Auditor, page 16, section 4.2.1
* ISO/IEC 27001:2013, clauses A.5.3, A.5.15, A.5.35, A.6.1, A.6.2, A.6.5, A.8.4, A.17.1
* ISO 19011:2018, clause 6.2.2
質問 # 53
Which two of the following phrases would apply to "audit objectives"?
- A. Audit duration
- B. Identifying opportunities for improvement, if required
- C. Checking legal compliance
- D. Determining conformity
- E. Revising management policy
- F. Auditor competence
正解:B、D
質問 # 54
You are an experienced ISMS audit team leader providing guidance to an ISMS auditor in training. They have been asked to carry out an assessment of external providers and have prepared a checklist containing the following activities. They have asked you to review their checklist to confirm that the actions they are proposing are appropriate.
The audit they have been invited to participate in is a third-party surveillance audit of a data centre . The data centre agent is part of a wider telecommunication group. Each data centre within the group operates its own ISMS and holds its own certificate.
- A. I will ensure that the organisation ranks its external providers and allocates the majority of its work to those providers who are rated the highest
- B. I will ensure that top management have assigned roles and responsibilities for those providing external ISMS processes as well as internal ISMS processes
- C. I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services
- D. I will ensure the organization is has determined the need to communicate with external providers regarding the ISMS
- E. I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group
- F. I will limit my audit activity to externally provided processes as there is no need to audit externally provided products of services
- G. I will ensure the organization is regularly monitoring, reviewing and evaluating external provider performance
- H. I will ensure that the organisation has a reserve external provider for each process it has identified as critical to preservation of the confidentiality, integrity and accessibility of its information
正解:C、D、E、G
解説:
Explanation
* A. I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group. This is appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. Externally provided processes, products or services are those that are provided by any external party, regardless of the degree of its relationship
* with the organisation. Therefore, the other data centres within the same telecommunication group should be treated as external providers and subject to the same controls as any other external provider12
* B. I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services. This is appropriate because clause 8.1.4 of ISO
27001:2022 requires the organisation to implement appropriate contractual requirements related to information security with external providers. One of the contractual requirements could be the obligation of the external provider to notify the organisation of any risks arising from the use of its products or services, such as security incidents, vulnerabilities, or changes that could affect the information security of the organisation. The external provider should have a documented process in place to ensure that such notification is timely, accurate, and complete12
* E. I will ensure the organisation is regularly monitoring, reviewing and evaluating external provider performance. This is appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to monitor, review and evaluate the performance and effectiveness of the externally provided processes, products or services. The organisation should have a process in place to measure and verify the conformity and suitability of the external provider's deliverables and activities, and to provide feedback and improvement actions as necessary. The organisation should also maintain records of the monitoring, review and evaluation results12
* F. I will ensure the organisation has determined the need to communicate with external providers regarding the ISMS. This is appropriate because clause 7.4.2 of ISO 27001:2022 requires the organisation to determine the need for internal and external communications relevant to the information security management system, including the communication with external providers. The organisation should define the purpose, content, frequency, methods, and responsibilities for such communication, and ensure that it is consistent with the information security policy and objectives. The organisation should also retain documented information of the communication as evidence of its implementation12 The following activities are not appropriate for the assessment of external providers according to ISO
27001:2022:
* C. I will ensure that the organisation has a reserve external provider for each process it has identified as critical to preservation of the confidentiality, integrity and accessibility of its information. This is not appropriate because ISO 27001:2022 does not require the organisation to have a reserve external provider for each critical process. The organisation may choose to have a contingency plan or a backup solution in case of failure or disruption of the external provider, but this is not a mandatory requirement. The organisation should assess the risks and opportunities associated with the external provider and determine the appropriate treatment options, which may or may not include having a reserve external provider12
* D. I will limit my audit activity to externally provided processes as there is no need to audit externally provided products or services. This is not appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to control the externally provided processes, products or services that are relevant to the information security management system. Externally provided products or services may include software, hardware, data, or cloud services that could affect the information security of the organisation. Therefore, the audit activity should cover both externally provided processes and products or services, as applicable12
* G. I will ensure that top management have assigned roles and responsibilities for those providing external ISMS processes as well as internal ISMS processes. This is not appropriate because clause 5.3 of ISO 27001:2022 requires the top management to assign the roles and responsibilities for the
* information security management system within the organisation, not for the external providers. The external providers are responsible for assigning their own roles and responsibilities for the processes, products or services they provide to the organisation. The organisation should ensure that the external providers have adequate competence and awareness for their roles and responsibilities, and that they are contractually bound to comply with the information security requirements of the organisation12
* H. I will ensure that the organisation ranks its external providers and allocates the majority of its work to those providers who are rated the highest. This is not appropriate because ISO 27001:2022 does not require the organisation to rank its external providers or to allocate its work based on such ranking. The organisation may choose to evaluate and compare the performance and effectiveness of its external providers, but this is not a mandatory requirement. The organisation should select and use its external providers based on the information security criteria and objectives that are relevant to the organisation12 References:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
質問 # 55
You are an ISMS audit team leader tasked with conducting a follow-up audit at a client's data centre.
Following two days on-site you conclude that of the original 12 minor and 1 major nonconformities that prompted the follow-up audit, only 1 minor nonconformity still remains outstanding.
Select four options for the actions you could take.
- A. Agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified
- B. Advise the auditee that you will arrange for the next audit to be an online audit to deal with the outstanding nonconformity
- C. Conduct an unannounced follow-up audit on-site to review the one outstanding minor nonconformity once it has been cleared
- D. Advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity
- E. Recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit
- F. Note the progress made but hold the audit open until all corrective action has been cleared
- G. Close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised
- H. Recommend suspension of the organisation's certification as they have failed to implement the agreed corrections and corrective actions within the agreed timescale
正解:A、D、F、G
解説:
The four options for the actions you could take are A, C, F, and G. These options are consistent with the guidance and requirements of ISO 19011:2018, Clause 6.712. You could agree with the auditee/audit client how the remaining nonconformity will be cleared, by when, and how its clearance will be verified (A), and document the agreement in the audit report1. You could close the follow-up audit as the organisation has demonstrated it is committed to clearing the nonconformities raised , and report the outcome to the audit client and other relevant parties1. You could note the progress made but hold the audit open until all corrective action has been cleared (F), and determine the need for another follow-up audit or other actions1. You could also advise the individual managing the audit programme of any decision taken regarding the outstanding nonconformity (G), as they are responsible for the overall management and coordination of the audit programme3. The other options are either not appropriate or not necessary for the situation. You should not recommend that the outstanding minor nonconformity is dealt with at the next surveillance audit (B), as this may compromise the audit objectives and the audit programme1. You should not recommend suspension of the organisation's certification as they have failed to implement the agreed corrections and corrective actions within the agreed timescale (D), as this is not within your role or authority as an ISMS auditor4. You should not advise the auditee that you will arrange for the next audit to be an online audit to deal with the outstanding nonconformity (E), as this may not be feasible or effective depending on the nature and complexity of the nonconformity1. You should not conduct an unannounced follow-up audit on-site to review the one outstanding minor nonconformity once it has been cleared (H), as this may not be in accordance with the audit agreement or the audit programme1. References: 1: ISO 19011:2018, Guidelines for auditing management systems, Clause 6.7 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 6:
Closing an ISO/IEC 27001 audit \n3: ISO 19011:2018, Guidelines for auditing management systems, Clause
5.3 \n4: ISO/IEC 27006:2022, Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems, Clause 9.6
質問 # 56
Select the words that best complete the sentence:
To complete the sentence with the word(s) click on the blank section you want to complete so that it is highlighted in red, and then click on the application text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.
正解:
解説:
Explanation:
competence of the audit team and decision made by the certification body According to ISO/IEC 17021-1, which specifies the requirements for bodies providing audit and certification of management systems, an accredited certification means that the certification body has been evaluated by an accreditation body against recognized standards to demonstrate its competence, impartiality and performance capability1. Therefore, an accredited certification assures the competence of the audit team that conducts the audit in accordance with ISO 19011 and ISO/IEC 27001:2022, and the decision made by the certification body that grants or maintains the certification based on the audit evidence and findings2. References: ISO/IEC
17021-1:2015 - Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements, ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA
質問 # 57
Phishing is what type of Information Security Incident?
- A. Cracker/Hacker Attacks
- B. Private Incidents
- C. Legal Incidents
- D. Technical Vulnerabilities
正解:A
解説:
Phishing is a type of information security incident that falls under the category of cracker/hacker attacks. Phishing is a form of fraud that uses deceptive emails or other messages to trick recipients into revealing sensitive information, such as passwords, credit card numbers, bank account details, etc. Phishing emails often impersonate legitimate organizations or individuals and create a sense of urgency or curiosity to lure the victims into clicking on malicious links, opening malicious attachments or providing personal information. Phishing is a common and serious threat to information security, as it can lead to identity theft, financial loss, data breach, malware infection or other damages. ISO/IEC 27001:2022 requires the organization to implement awareness and training programs to make users aware of the risks of social engineering attacks, such as phishing, and how to avoid them (see clause A.7.2.2). Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Phishing?
質問 # 58
Auditors need to communicate effectively with auditees. Therefore, their personal behaviour is a key characteristic needed to ensure a successful audit. Below there are the characteristics and a brief related description. Match the characteristics to the descriptions.
正解:
解説:
Explanation:
The possible matches of the characteristics to the descriptions are:
* Tenacious: Persistent and focused on objectives
* Ethical: Fair, truthful, sincere, honest, discreet
* Diplomatic: Tactful in dealing with individuals
* Observant: Actively observing surroundings/activities
* Perceptive: Aware of and able to understand situations
* Open to improvement: Willing to learn from situations
Actively observing surroundings/activities = Observant
Fair, truthful, sincere, honest, discreet = Ethical
Persistent and focused on objectives = Tenacious
Willing to learn from situations = Open to improvement
Tactful in dealing with individuals = Diplomatic
Aware of and able to understand situations = Perceptive
These are the auditor's characteristics and their descriptions as defined by ISO 19011:2022, Clause 7.2.21. The auditor's personal behaviour is essential for building trust and confidence with the auditee and for ensuring the credibility and effectiveness of the audit12. References: 1: ISO 19011:2022, Guidelines for auditing management systems, Clause 7.2.2 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 3: Fundamental audit concepts and principles
質問 # 59
After completing Stage 1 and in preparation for a Stage 2 initial certification audit, the auditee informs the audit team leader that they wish to extend the audit scope to include two additional sites that have recently been acquired by the organisation.
Considering this information, what action would you expect the audit team leader to take?
- A. Inform the auditee that the request can be accepted but a full Stage 1 audit must be repeated
- B. Obtain information about the additional sites to inform the certification body
- C. Increase the length of the Stage 2 audit to include the extra sites
- D. Arrange to complete a remote Stage 1 audit of the two sites using a video conferencing platform
正解:B
解説:
Explanation
According to ISO/IEC 17021-1, which specifies the requirements for bodies providing audit and certification of management systems, a certification body should establish criteria for determining audit time and audit team composition based on factors such as the scope of certification, size and complexity of the organization, risks associated with its activities, etc2. Therefore, if an auditee requests to extend the audit scope to include two additional sites after completing Stage 1 of an initial certification audit, the audit team leader should obtain information about the additional sites to inform the certification body, so that they can review and approve the change in scope and adjust the audit time and audit team accordingly2. The other options are not appropriate actions for the audit team leader to take in this situation. For example, increasing the length of the Stage 2 audit to include the extra sites without informing the certification body may violate their procedures and policies; arranging to complete a remote Stage 1 audit of the two sites using a video conferencing platform may not be feasible or effective depending on the nature and location of the sites; and informing the auditee that the request can be accepted but a full Stage 1 audit must be repeated may not be necessary or reasonable if there are no significant changes in the auditee's ISMS since Stage 12. References: ISO/IEC 17021-1:2015 - Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements
質問 # 60
Review the following statements and determine which two are false:
- A. The number of days assigned to a third-party audit is determined by the auditee's availability
- B. The selection of onsite, virtual or combination audits should take into consideration historical performance and previous audit results
- C. Due to confidentiality and security concerns, screen sharing during a virtual audit is one method by which the audit team can review the auditee's documentation
- D. Auditors approved for conducting onsite audits do not require additional training for virtual audits, as there are no significant differences in the skillset required
- E. During a virtual audit, auditees participating in interviews are strongly recommended to keep their webcam enabled
- F. Conducting a technology check in advance of a virtual audit can improve the effectiveness and efficiency of the audit
正解:A、D
解説:
Explanation
The number of days assigned to a third-party audit is not determined by the auditee's availability, but by the audit program, which considers the audit scope, objectives, criteria, risks, and resources12. The auditee's availability is only one factor that affects the audit planning and scheduling, but not the audit duration3.
Auditors approved for conducting onsite audits do require additional training for virtual audits, as there are significant differences in the skillset required. Virtual audits pose different challenges and opportunities than onsite audits, such as communication, technology, security, and evidence collection4 . Auditors need to be familiar with the tools and techniques for conducting remote audits, as well as the ethical and professional behavior expected in a virtual environment . References:
* PECB Candidate Handbook - ISO 27001 Lead Auditor, page 18
* ISO 19011:2018, Guidelines for auditing management systems, clause 5.3.2
* ISO 19011:2018, Guidelines for auditing management systems, clause 6.3.1
* Deloitte - Conducting a Virtual Internal Audit, page 1
* [A Guide to Conducting Effective and Efficient Remote Audits], page 1
* [ISO 19011:2018, Guidelines for auditing management systems], clause 7.2.3
* [Remote Auditing Best Practices & Checklist for Regulatory Compliance], page 1
質問 # 61
Which of the following is a possible event that can have a disruptive effect on the reliability of information?
- A. Dependency
- B. Risk
- C. Threat
- D. Vulnerability
正解:C
解説:
Explanation
A possible event that can have a disruptive effect on the reliability of information is a threat. A threat is anything that has the potential to harm an asset or its protection, such as a natural disaster, a human error, a malicious attack, etc. A threat can exploit a vulnerability or weakness in an asset or its protection and cause an adverse impact on the confidentiality, integrity or availability of information. ISO/IEC 27001:2022 defines threat as "potential cause of an unwanted incident, which can result in harm to a system or organization" (see clause 3.48). References: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Threat?
質問 # 62
A fire breaks out in a branch office of a health insurance company. The personnel are transferred to neighboring branches to continue their work.
Where in the incident cycle is moving to a stand-by arrangements found?
- A. between damage and recovery
- B. between threat and incident
- C. between recovery and threat
- D. between incident and damage
正解:D
解説:
Moving to a stand-by arrangement is found between incident and damage in the incident cycle. The incident cycle is a model that describes the phases of an incident from its occurrence to its resolution. The incident cycle consists of four phases: threat, incident, damage, and recovery1. A threat is a potential cause or source of harm to an organization's information assets or systems. An incident is an event that compromises the confidentiality, integrity, or availability of information assets or systems. Damage is the negative impact or consequence of an incident on the organization's assets, operations, reputation, or legal obligations. Recovery is the process of restoring normal service and operations after an incident and preventing recurrence2. Moving to a stand-by arrangement is a form of contingency plan that enables the organization to continue its critical activities in an alternative location or mode after an incident. This measure is taken before the damage caused by the incident is fully assessed or contained. Therefore, moving to a stand-by arrangement is found between incident and damage in the incident cycle. Reference: [ISO/IEC 27031:2011], clause 4.2; [ISO/IEC 27035:2016], clause 4.
質問 # 63
Scenario 2: Knight is an electronics company from Northern California, US that develops video game consoles. Knight has more than 300 employees worldwide. On the fifth anniversary of their establishment, they have decided to deliver the G-Console, a new generation video game console aimed for worldwide markets. G-Console is considered to be the ultimate media machine of 2021 which will give the best gaming experience to players.
The console pack will include a pair of VR headset, two
games, and other gifts.
Over the years, the company has developed a good reputation by showing integrity, honesty, and respect toward their customers. This good reputation is one of the reasons why most passionate gamers aim to have Knight's G-console as soon as it is released in the market.
Besides being a very customer-oriented company, Knight
also gained wide recognition within the gaming industry because of the developing quality. Their prices are a bit higher than the reasonable standards allow.
Nonetheless, that is not considered an issue for most loyal customers of Knight, as their quality is top-notch.
Being one of the top video game console developers in the world, Knight is also often the center of attention for malicious activities. The company has had an operational ISMS for over a year. The ISMS scope includes all departments of Knight, except Finance and HR departments.
Recently, a number of Knight's files containing proprietary information were leaked by hackers. Knight's incident response team (IRT) immediately started to analyze every part of the system and the details of the incident.
The IRT's first suspicion was that Knight's employees used weak passwords and consequently were easily cracked by hackers who gained unauthorized access to their accounts. However, after carefully investigating the incident, the IRT determined that hackers accessed accounts by capturing the file transfer protocol (FTP) traffic.
FTP is a network protocol for transferring files between accounts. It uses clear text passwords for authentication.
Following the impact of this information security incident and with IRT's suggestion, Knight decided to replace the FTP with Secure Shell (SSH) protocol, so anyone capturing the traffic can only see encrypted data.
Following these changes, Knight conducted a risk assessment to verify that the implementation of controls had minimized the risk of similar incidents. The results of the process were approved by the ISMS project manager who claimed that the level of risk after the implementation of new controls was in accordance with the company's risk acceptance levels.
Based on this scenario, answer the following question:
FTP uses clear text passwords for authentication. This is an FTP:
- A. Threat
- B. Vulnerability
- C. Risk
正解:B
解説:
The use of clear text passwords for authentication in FTP is a vulnerability because it is a weakness that can be exploited by threat actors. Clear text passwords can be intercepted easily by network sniffers or through man-in-the-middle attacks, making them a significant security risk1. References: = This explanation is consistent with the understanding of vulnerabilities within the field of information security, particularly as it relates to network protocols like FTP and their associated risks
質問 # 64
A scenario wherein the city or location where the building(s) reside is / are not accessible.
- A. Component
- B. Facility
- C. Country
- D. City
正解:D
質問 # 65
You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity. Referencing the scenario, which three of the following Annex A controls would you expect the auditee to have implemented when you conduct the follow-up audit?
- A. 6.3 Information security awareness, education, and training
- B. 5.13 Labelling of information
- C. 5.11 Return of assets
- D. 5.32 Intellectual property rights
- E. 6.4 Disciplinary process
- F. 5.6 Contact with special interest groups
- G. 5.3 Segregation of duties
- H. 5.34 Privacy and protection of personal identifiable information (PII)
正解:A、B、H
解説:
Explanation
The three Annex A controls that you would expect the auditee to have implemented when you conduct the follow-up audit are:
* B. 5.13 Labelling of information
* E. 5.34 Privacy and protection of personal identifiable information (PII)
* G. 6.3 Information security awareness, education, and training
* B. This control requires the organisation to label information assets in accordance with the information classification scheme, and to handle them accordingly12. This control is relevant for the auditee because it could help them to avoid misaddressing labels and sending parcels to wrong destinations, which could compromise the confidentiality, integrity, and availability of the information assets. By labelling the information assets correctly, the auditee could also ensure that they are delivered to the intended recipients and that they are protected from unauthorized access, use, or disclosure.
* E. This control requires the organisation to protect the privacy and the rights of individuals whose personal identifiable information (PII) is processed by the organisation, and to comply with the applicable legal and contractual obligations13. This control is relevant for the auditee because it could help them to prevent the unauthorized use of residents' personal data by a supplier, which could violate the privacy and the rights of the residents and their family members, and expose the auditee to legal and reputational risks. By protecting the PII of the residents and their family members, the auditee could also enhance their trust and satisfaction, and avoid complaints and disputes.
* G. This control requires the organisation to ensure that all employees and contractors are aware of the information security policy, their roles and responsibilities, and the relevant information security procedures and controls14. This control is relevant for the auditee because it could help them to improve the information security culture and behaviour of their staff, and to reduce the human errors and negligence that could lead to information security incidents. By providing information security awareness, education, and training to their staff, the auditee could also increase their competence and performance, and ensure the effectiveness and efficiency of the information security processes and controls.
References:
1: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, Annex A 2: ISO/IEC 27002:2022 - Information technology - Security techniques
- Code of practice for information security controls, clause 8.2.1 3: ISO/IEC 27002:2022 - Information technology - Security techniques - Code of practice for information security controls, clause 18.1.4 4:
ISO/IEC 27002:2022 - Information technology - Security techniques - Code of practice for information security controls, clause 7.2.2
質問 # 66
Information has a number of reliability aspects. Reliability is constantly being threatened. Examples of threats are: a cable becomes loose, someone alters information by accident, data is used privately or is falsified.
Which of these examples is a threat to integrity?
- A. private use of data
- B. a loose cable
- C. System restart
- D. accidental alteration of data
正解:D
解説:
A threat to integrity is anything that can compromise the accuracy, completeness or authenticity of information. Accidental alteration of data is an example of such a threat, as it can cause information to be incorrect or inconsistent. A loose cable, a system restart or a private use of data are not threats to integrity, but rather to availability or confidentiality. ISO/IEC 27001:2022 defines integrity as "property of accuracy and completeness" (see clause 3.24). Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Integrity?
質問 # 67
Why do we need to test a disaster recovery plan regularly, and keep it up to date?
- A. Otherwise it is no longer up to date with the registration of daily occurring faults
- B. Otherwise remotely stored backups may no longer be available to the security team
- C. Otherwise the measures taken and the incident procedures planned may not be adequate
正解:C
解説:
Explanation
Testing a disaster recovery plan regularly and keeping it up to date is essential to ensure that the measures taken and the incident procedures planned are adequate and effective in the event of a disaster6. A disaster recovery plan is a documented set of actions and arrangements to enable an organization to respond to a disaster affecting its information assets and resume its critical activities within a defined time frame7.
However, a disaster recovery plan may become obsolete or ineffective due to changes in the organization's environment, operations, risks, or resources. Therefore, testing the plan periodically and updating it accordingly is necessary to verify its validity, feasibility, completeness, and accuracy6. References: ISO/IEC
27031:2011, clauses 7.4 and 8.3; ISO/IEC 27000:2022, clause 3.11.
質問 # 68
......
正真正銘のベスト材料ISO-IEC-27001-Lead-Auditor:https://www.goshiken.com/PECB/ISO-IEC-27001-Lead-Auditor-mondaishu.html
ISO-IEC-27001-Lead-Auditorテストエンジン練習試験:https://drive.google.com/open?id=1NfH0Eu9kY9-zr-rkPJJeRgu_g7hUNjQA