[2025年更新]ISO-IEC-27001-Lead-Auditor-CNのPDF問題完璧見込みでGoShiken練習試験合格させます
質問 # 91
下列哪兩個是「確實」涉及人際互動的審核方法的範例?
- A. 透過遠端存取被審核方伺服器分析數據
- B. 透過遠端存取被審核方的伺服器來分析數據
- C. 對程序進行獨立審查以準備審核
- D. 檢討受審核方對審核結果的回應
- E. 觀察遠端監控執行的工作
正解:C、D
解説:
Audit methods are techniques used by auditors to obtain audit evidence. Audit methods can be classified into two categories: those that involve human interaction and those that do not2. Audit methods that involve human interaction require direct communication between the auditor and the auditee or other relevant parties, such as interviews, questionnaires, surveys, meetings, etc. Audit methods that do not involve human interaction rely on observation, inspection, measurement, testing, sampling, analysis, etc., without requiring any verbal or written exchange2. Therefore, performing an independent review of procedures in preparation for an audit and reviewing the auditee's response to an audit finding are examples of audit methods that involve human interaction, as they require reading and evaluating documents provided by the auditee or other sources. On the other hand, analysing data by remotely accessing the auditee's server and observing work performed by remote surveillance are examples of audit methods that do not involve human interaction, as they do not require any direct communication with the auditee or other parties. References: ISO/IEC 27001:
2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA
質問 # 92
您正在作為審核組組長進行您的第一次第三方 ISMS 監督審核。您目前與審核團隊的另一位成員一起在被審核方的資料中心。
您的同事似乎不確定資訊安全事件和資訊安全事件之間的差異。您嘗試透過提供範例來解釋差異。
下列哪三種場景可以定義為資訊安全事件?
- A. 組織收到網路釣魚電子郵件
- B. 硬碟機在建議更換日期之後使用
- C. 未收到付款的承包商刪除了高階管理人員 ICT 帳戶
- D. 不滿意的員工未經許可更改薪資記錄
- E. 員工在輪班結束時未能清理辦公桌
- F. 組織的行銷資料被駭客複製並出售給競爭對手
- G. 組織未通過第三方滲透測試
- H. 組織的惡意軟體防護軟體可防止病毒
正解:C、D、F
解説:
According to ISO/IEC 27000:2018, which provides an overview and vocabulary of information security management systems, an information security event is an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant1. An information security incident is a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security1. Therefore, based on this definition, three examples of information security incidents are:
* A contractor who has not been paid deletes top management ICT accounts: This is an example of an unwanted or unexpected information security event that has a significant probability of compromising business operations and threatening information security, as it may result in loss of access, data, or functionality for the top management.
* An unhappy employee changes payroll records without permission: This is an example of an unwanted or unexpected information security event that has a significant probability of compromising business operations and threatening information security, as it may result in financial fraud, legal liability, or reputational damage for the organization.
* The organisation's marketing data is copied by hackers and sold to a competitor: This is an example of an unwanted or unexpected information security event that has a significant probability of compromising business operations and threatening information security, as it may result in loss of confidentiality, competitive advantage, or customer trust for the organization.
The other options are not examples of information security incidents, but rather information security events that may or may not lead to incidents depending on their impact and severity. For example:
* The organisation's malware protection software prevents a virus: This is an example of an identified occurrence of a system state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, as it is prevented by the malware protection software.
* A hard drive is used after its recommended replacement date: This is an example of an identified occurrence of a system state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless it fails or causes other problems.
* The organisation receives a phishing email: This is an example of an identified occurrence of a network state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless it is opened or responded to by the recipient.
* An employee fails to clear their desk at the end of their shift: This is an example of an identified occurrence of a service state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless the desk contains sensitive or confidential information that is accessed by unauthorized persons.
* The organisation fails a third-party penetration test: This is an example of an identified occurrence of a system state indicating a possible breach of information security policy or failure of safeguards, but it does not have a significant probability of compromising business operations and threatening information security, unless the penetration test reveals serious vulnerabilities that are exploited by malicious actors.
References: ISO/IEC 27000:2018 - Information technology - Security techniques - Information security management systems - Overview and vocabulary
質問 # 93
審核過程中,審核組長透過邏輯推理和分析,及時得出結論。
審計組長表現出了哪些專業行為?
- A. 道德
- B. 有洞察力
- C. 思想開放
- D. 決定性的
正解:D
解説:
According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, one of the professional behaviours expected from an audit team leader is to be decisive, which means to "reach timely conclusions based on logical reasoning and analysis" (page 8). Being open minded, ethical, and perceptive are also desirable qualities for an audit team leader, but they do not match the description given in the question.
References: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 8.
質問 # 94
您是一位經驗豐富的 ISMS 審核團隊領導,協助審核員接受培訓,撰寫第一份審核報告。
您想要檢查培訓中的審核員對審核報告內容相關術語的理解,並選擇透過展示以下範例來實現此目的。
對於每個範例,您在培訓中詢問審核員描述活動的正確術語是什麼 將活動與描述進行配對。
正解:
解説:
Explanation:
1. An auditor using a copy of ISO/IEC 27001:2022 to check that its requirements are met:
Termed: Reviewing audit criteria.
Justification: The auditor is comparing the auditee's information security management system (ISMS) against the established criteria outlined in the ISO/IEC 27001:2022 standard. This activity falls under the use of audit criteria to determine conformity or nonconformity.
2. An auditor's note that the auditee is not adhering to its clear desk policy:
Termed: Identifying an audit finding.
Justification: The auditor has observed a deviation from the auditee's established policy on clear desks. This observation is documented as a potential nonconformity, which requires further investigation and evaluation.
3. An auditor making a decision regarding the auditee's conformity or otherwise to criteria:
Termed: Determining an audit conclusion.
Justification: Based on the collected audit evidence and evaluation against the established criteria, the auditor forms an opinion about the overall compliance of the auditee's ISMS. This opinion is the audit conclusion and is a key element of the audit report.
4. An auditor examining verifiable records relevant to the audit process:
Termed: Collecting audit evidence.
Justification: The auditor is gathering objective and verifiable information to support their findings and conclusions. This information comes from various sources, including documents, records, interviews, and observations.
質問 # 95
管理審核計畫的個人負責下列哪兩項行動?
- A. 確定審核計畫所需的資源
- B. 定義單獨審核的目標、範圍和標準
- C. 確定適用於每次審核的法律要求
- D. 柯平向認證機構通報了審核計畫的進度
- E. 定義單獨審核的計劃
- F. 審核期間與受審核方溝通
正解:A、D
解説:
* Establishing the audit programme objectives, scope and criteria
* Determining the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc.
* Selecting and appointing the audit team leaders and auditors
* Reviewing and approving the audit plans and arrangements
* Ensuring the effective communication and coordination among the audit programme stakeholders, such as the auditors, the auditees, the certification bodies, the accreditation bodies, etc.
* Keeping informed the accreditation body on the progress of the audit programme, especially in case of any significant changes, issues, or nonconformities
* Monitoring and reviewing the performance and results of the audit programme and the audit teams
* Evaluating the feedback and satisfaction of the auditees and other interested parties
* Identifying and implementing the opportunities for improvement of the audit programme The individual(s) managing the audit programme are not responsible for the following tasks, which are delegated to the audit team leaders or the auditors12:
* Communicating with the auditee during the audit, such as conducting the opening and closing meetings, resolving any audit-related problems, reporting any audit findings, etc.
* Determining the legal requirements applicable to each audit, such as the confidentiality, the impartiality, the consent, the liability, etc.
* Defining the objectives, scope and criteria for an individual audit, which are derived from the audit programme and agreed with the auditee
* Defining the plan of an individual audit, which includes the audit schedule, the audit activities, the audit methods, the audit documents, etc.
References:
* ISO 19011:2018 - Guidelines for auditing management systems
* PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-20
質問 # 96
您是一位經驗豐富的 ISMS 內部稽核師。
當 IT 經理找到您並要求您協助修改公司的適用性聲明時,您剛剛完成了組織的預定資訊安全審核。
IT 經理正在嘗試將基於 ISO/IEC 27001:2013 的適用性聲明更新為與 ISO/IEC 27001:2022 中的 4 個控制主題(組織控制、人員控制、實體控制、技術控制)一致的聲明。
IT 經理對控制權的重新分配感到滿意,但以下情況除外。他詢問您以下每個控制類別應出現在哪四個控制類別下。
正解:
解説:
Explanation:
8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected
= Technological control 7.8 Equipment shall be sited securely and protected = Physical control 5.2 Information security roles and responsibilities shall be defined and allocated according to the organisation's needs = Organisational control 6.7 Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation's premises = People control Explanation: According to the web search results from my predefined tool, ISO 27001:2022 has restructured and consolidated the Annex A controls into four categories: organisational, people, physical, and technological12. These categories reflect the different aspects and dimensions of information security, and are aligned with the cybersecurity concepts of identify, protect, detect, respond, and recover3. The controls in each category are as follows4:
* Organisational controls: These are controls that relate to the governance, management, and coordination of information security activities within the organisation. They include controls such as information security policies, roles and responsibilities, risk assessment and treatment, performance evaluation, and improvement.
* People controls: These are controls that relate to the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. They include controls such as human resource security, training and awareness, access control, incident management, and business continuity.
* Physical controls: These are controls that relate to the protection of physical assets and environments that store, process, or transmit information. They include controls such as physical security, environmental security, equipment security, and media security.
* Technological controls: These are controls that relate to the use of technology to implement, monitor, and maintain information security. They include controls such as cryptography, network security, system security, application security, and threat intelligence.
Based on these categories, the controls listed in the question can be matched as follows:
* 8.1 Information stored on, processed by, or accessible via user endpoint devices shall be protected: This is a technological control, as it involves the use of technology to protect information on devices such as laptops, smartphones, tablets, etc. It may include measures such as encryption, authentication, antivirus, firewall, etc.
* 7.8 Equipment shall be sited securely and protected: This is a physical control, as it involves the protection of physical assets and environments that store, process, or transmit information. It may include measures such as locks, alarms, CCTV, fire suppression, etc.
* 5.2 Information security roles and responsibilities shall be defined and allocated according to the organisation's needs: This is an organisational control, as it involves the governance, management, and coordination of information security activities within the organisation. It may include measures such as defining the authority and accountability of information security personnel, establishing reporting lines and communication channels, assigning tasks and duties, etc.
* 6.7 Security measures shall be implemented when personnel are working remotely to protect information processed, processed, or stored outside the organisation's premises: This is a people control, as it involves the behaviour, awareness, and competence of the people involved in information security, both within and outside the organisation. It may include measures such as providing guidance and training on remote working, enforcing policies and procedures, monitoring and auditing remote activities, etc.
References: = 1: A Breakdown of ISO 27001:2022 Annex A Controls - BARR Advisory42: ISO 27001:2022 Annex A Controls - What's New? | ISMS.Online13: How many controls are there in ISO 27001:2022? - Strike Graph34: ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, Annex A.
質問 # 97
您正在一家提供醫療保健服務的住宅療養院進行 ISMS 初始認證審核。審計計劃的下一步是召開末次會議。在最終審核小組會議上,身為審核組組長,您同意報告 2 項輕微不符合項和 1 項改進機會,如下:
在閉幕會議上,管理系統代表 (MSR) 向您通報 ABC 將在未來 3 個月內與 WeCare 醫療設備製造商合併的資訊。合併後該組織的名稱將是 ABC。他詢問是否可以將 WeCare 醫療器材生產地點納入後續審核,以便認證中將其納入。他表示 WeCare 已通過 ISO/IEC 27001:2022 認證。
選擇一個選項以正確回應 MSR 的請求。
- A. 建議任何變更都會影響初始審核的認證範圍。該組織有責任在商定的時間範圍內更新認證機構,以便就合併 WeCare 做出決定。
- B. 建議需要對 WeCare 進行初步審核,但這可以與 ABC 的後續審核結合起來
- C. 建議最好延後認證流程並等待業務收購者完成
- D. 建議沒有問題。如果WeCare能夠獲得其認證機構的同意,新業務可以立即納入認證範圍
正解:A
解説:
According to ISO/IEC 27001 guidelines, any significant changes to the scope of the ISMS, such as a merger, must be communicated to the certification body. This ensures that the certification remains valid and that all locations and processes are included in the scope. The certification body will then decide the appropriate actions to incorporate the new entity into the existing certification.
References:
*ISO/IEC 27001 Lead Auditor Reference Materials
*PECB Candidate Handbook for ISO 27001 Lead Auditor
質問 # 98
選出最能完成句子的單字:
正解:
解説:
Explanation:
A third-party audit is an independent assessment of an organisation's management system by an external auditor, who is not affiliated with the organisation or its customers. The auditor verifies that the management system meets the requirements of a specific standard, such as ISO 27001, and evaluates its effectiveness and performance. The auditor also identifies any strengths, weaknesses, opportunities, or risks of the management system, and provides recommendations for improvement. The purpose of a third-party audit is to provide an objective and impartial evaluation of the organisation's management system, and to inform a certification decision by a certification body. A certification body is an organisation that grants a certificate of conformity to the organisation, after reviewing the audit report and evidence, and confirming that the management system meets the certification criteria. A certification decision is the outcome of the certification process, which can be positive (granting, maintaining, renewing, or expanding the scope of certification) or negative (suspending, withdrawing, or reducing the scope of certification). References:
* PECB Candidate Handbook ISO 27001 Lead Auditor, pages 19-25
* ISO 19011:2018 - Guidelines for auditing management systems
* The ISO 27001 audit process | ISMS.online
質問 # 99
場景 7:Lawsy 是一家領先的律師事務所,在新澤西州和紐約市設有辦公室。它擁有 50 多名律師,為商業法、智慧財產權、銀行和金融服務領域的客戶提供完善的法律服務。他們相信,由於他們致力於實施資訊安全最佳實踐並跟上技術發展的步伐,他們在市場上佔據了有利的地位。
Lawsy 已經嚴格實施、評估和進行 ISMS 內部審核兩年了。
現在,他們已向知名且值得信賴的認證機構ISMA申請ISO/IEC 27001認證。
在第一階段審核期間,審核小組審查了實施過程中所建立的所有 ISMS 文件。
他們還審查和評估了管理審查和內部審計的記錄。
Lawsy 提交了證據記錄,表明在必要時對不合格項採取了糾正措施,因此審核組約談了內部審核員。訪談透過提供對內部稽核計畫和程序的詳細了解,驗證了內部稽核的充分性和頻率。
審計小組繼續驗證戰略文件,包括資訊安全政策和風險評估標準。在資訊安全政策審查期間,團隊注意到描述治理框架(即資訊安全政策)的記錄資訊與程序之間存在不一致。
儘管允許員工將筆記型電腦帶到工作場所之外,但 Lawsy 並沒有製定有關在這種情況下使用筆記型電腦的程序。此政策僅提供有關筆記型電腦使用的一般資訊。該公司依靠員工的常識來保護筆記型電腦中儲存的資訊的機密性和完整性。該問題已記錄在第一階段審計報告中。
完成第一階段審核後,審核組長準備了審核計劃,其中闡述了審核目標、範圍、標準和程序。
在第二階段審核期間,審核小組約談了資安經理,資安經理起草了資訊安全政策。他透過指出 Lawsy 每三個月舉辦一次強制性資訊安全培訓和意識課程來證明第一階段中確定的問題的合理性。
面談後,審核小組檢查了 15 份員工培訓記錄(共 50 份),得出的結論是 Lawsy 符合 ISO/IEC 27001 有關培訓和意識的要求。為了支持這個結論,他們影印了檢查過的員工訓練記錄。
根據上述場景,回答以下問題:
根據情境 7,Lawsy 在開始第二階段審核之前該做什麼?
- A. 定義可以組合哪些審核測試計畫來驗證合規性
- B. 第一階段審核的審核結果進行品質審核
- C. 與認證機構審核並確認審核計劃
正解:C
解説:
Prior to the initiation of stage 2 audit, Lawsy should review and confirm the audit plan with the certification body. This ensures that both parties agree on the objectives, scope, and procedures for the stage 2 audit, thus aligning expectations and facilitating a smoother audit process.
References: ISO 19011:2018, Guidelines for auditing management systems
質問 # 100
當審核團隊的另一位成員向您尋求澄清時,您正在進行第三方監督審核。他們被要求評估組織對控制 5.7 - 威脅情報的應用。他們知道這是 2022 年版 ISO/IEC 中引入的新控制措施之一
27001,他們希望確保正確審核控制。
他們準備了一份清單來協助他們進行審核,並希望您確認他們計劃的活動符合控制要求。
下列哪三個選項代表有效的審計追蹤?
- A. 我將確定在威脅情報的生成中是否使用內部和外部資訊來源
- B. 我將確保將產生威脅情報的任務分配給組織的內部稽核團隊
- C. 我將檢查是否積極使用威脅情報來保護組織資訊資產的機密性、完整性和可用性
- D. 我將確保採取適當措施,向最高管理階層通報目前威脅情報安排的有效性
- E. 我將回顧如何收集和評估與資訊安全威脅相關的資訊以產生威脅情報
- F. 我將檢查該組織是否擁有完整記錄的威脅情報流程
- G. 我將確保組織的風險評估流程從有效的威脅情報開始
- H. 我將與高階主管交談,以確保所有員工都意識到報告威脅的重要性
正解:C、D、E
解説:
These three options represent valid audit trails for control 5.7, as they are aligned with the control's requirements and objectives. According to the web search results from my predefined tool, control 5.7 requires organisations to collect and analyse information relating to information security threats and use that information to take mitigation actions12. The control also specifies that threat intelligence should be relevant, perceptive, contextual, and actionable, and that it should be used to prevent, detect, or respond to threats34.
Therefore, the auditor should verify how the organisation collects, analyses, and produces threat intelligence, how it uses threat intelligence to protect its information assets, and how it monitors and evaluates the effectiveness of its threat intelligence arrangements. The other options are not valid audit trails, as they are either irrelevant, incorrect, or incomplete. For example:
*The task of producing threat intelligence is not assigned to the organisation's internal audit team, but to the person or team responsible for the ISMS, such as the information security manager or the information security committee5 .
*The organisation's risk assessment process does not begin with effective threat intelligence, but with the identification of the context, scope, and objectives of the ISMS . Threat intelligence is an input for the risk identification and analysis, but not the starting point of the risk assessment process.
*Speaking to top management to make sure all staff are aware of the importance of reporting threats is not sufficient to audit the control, as it does not address how the organisation collects, analyses, and produces threat intelligence, nor how it uses it to take mitigation actions. The auditor should also speak to the staff involved in the threat intelligence process, and review the relevant documents and records.
*Checking that the organisation has a fully documented threat intelligence process is not enough to audit the control, as it does not verify the implementation and effectiveness of the process. The auditor should also observe the process in action, and examine the outputs and outcomes of the process.
*Determining whether internal and external sources of information are used in the production of threat intelligence is a partial audit trail, as it only covers one aspect of the control. The auditor should also assess the quality, reliability, and relevance of the sources, and how the information is analysed and used.
References: = 1: ISO 27001:2022 Annex A 5.7 - Threat Intelligence - ISMS.online12: ISO 27001 Annex A
5.7 Threat Intelligence - High Table23: ISO/IEC 27001:2022 Information technology - Security techniques
- Information security management systems - Requirements, clause A.5.74: ISO 27002 Emphasizes Need For Threat Intelligence - Rapid745: ISO/IEC 27007:2011 Information technology - Security techniques - Guidelines for information security management systems auditing, clause 6.3.2. : ISO 27001 Statement of Applicability [Updated 2024] - Sprinto3 : ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, clause 6.1.1. : ISO 27001 Requirement 6.1.1 - Actions to address risks and opportunities | ISMS.online1
質問 # 101
關鍵的審計流程是審計員收集資訊並確定調查結果特徵的方式。按正確的順序列出列出的操作以完成此過程。最後一項已為您完成。
正解:
解説:
Explanation:
* Determine source of information
* Collect by means of appropriate sampling
* Reviewing
* Audit evidence
* Evaluating against audit criteria
* Audit findings
* Audit conclusions
The reviewing step involves checking the accuracy, completeness, and relevance of the collected information.
The audit evidence step involves documenting the information in a verifiable and traceable manner. The evaluating against audit criteria step involves comparing the audit evidence with the requirements of the ISO
27001 standard and the organization's own policies and objectives. The audit findings step involves identifying any nonconformities, weaknesses, or opportunities for improvement in the ISMS. The audit conclusions step involves summarizing the audit results and providing recommendations for corrective actions or enhancements.
質問 # 102
在第三方認證審核中,保密性是審核計畫中的一個問題。選擇正確說明審計中保密功能的兩個選項
- A. 審核員在使用攝影機或錄音設備之前應獲得受審核方的許可
- B. 審核團隊中的觀察員無法存取任何機密資訊
- C. 由於審核員始終有導遊陪同,因此不會對受審核方的敏感資訊造成風險
- D. 監理要求迫使審核員在審核中保密
- E. 審計資訊可用於審計人員提升個人能力
- F. 保密是審計行為的原則之一
正解:A、F
解説:
Confidentiality is one of the principles of audit conduct that auditors should adhere to when performing audits. Confidentiality means that auditors should exercise discretion in the use and protection of information acquired in the course of their duties3. Auditors should respect the intellectual property rights of the auditee and other parties involved in the audit, and should not disclose any information that is sensitive, proprietary, or confidential without prior approval from the auditee or other authorized parties3. Auditors should also obtain the auditee's permission before using a camera or recording equipment during an audit, as these devices may capture confidential information or infringe on the privacy of individuals3. Therefore, these two options correctly state the function of confidentiality in an audit. The other options are either incorrect or irrelevant to confidentiality. For example, auditors are not forced by regulatory requirements to maintain confidentiality in an audit, but rather by ethical obligations and contractual agreements3. Observers in an audit team can access confidential information if they have signed a confidentiality agreement and have been authorized by the auditee3. Audit information can be used for improving personal competence by the auditor only if it does not compromise confidentiality or conflict with other interests3. As an auditor is always accompanied by a guide, there is still a risk to the auditee's sensitive information if the guide is not trustworthy or authorized to access such information3. References: ISO 19011:2018 - Guidelines for auditing management systems
質問 # 103
您正在對客戶的 ISMS 進行第三方監督審核。您目前位於資料中心的安全儲存區域,組織的客戶可以暫時定位進出站點的設備。該設備包含在上鎖的櫃子內,每個櫃子都分配給一個特定的客戶端。
你用眼角的餘光發現儲藏區外門附近有動靜。隨後是一聲巨響。你問導遊發生了什麼事。他們告訴您,最近的高降雨量導致當地河流水位上升,並導致老鼠氾濫。發出噪音的是專門的害蟲控制致暈裝置被觸發。你檢查角落的裝置,發現裡面有一隻一動也不動的大老鼠。
接下來應該採取哪三項行動?
- A. 不採取進一步行動。這是 ISMS 審核,而非環境管理系統審核
- B. 針對控制 7.2 實體條目提出不符合項
- C. 針對控制 7.4 實體安全監控提出不符合項
- D. 調查害蟲侵擾是否是已識別的風險,如果是,則應採取哪些風險處理措施
- E. 與指南核實他們打算啟動組織的資訊安全事件流程
- F. 確定大量降雨是否對資料中心營運產生其他影響,例如
基礎設施損壞、客戶訪問問題、調用業務連續性安排 - G. 檢查客戶機櫃是否有囓齒動物進入的跡象,並將您的發現記錄為審計證據
- H. 協助導遊人道處置老鼠並重置設備
正解:D、E、F
解説:
The appropriate actions to take next are to investigate whether pest infestation is an identified risk and if so, what risk treatment is to be applied, to determine whether the high levels of rainfall have had other impacts on data centre operations, and to check with the guide that they intend to initiate the organisation's information security incident process. These actions are relevant to the ISMS audit objectives and criteria, as they relate to the organisation's risk assessment and treatment, security performance, and incident management processes.
The other actions are either not within the scope of the ISMS audit, not required by the ISO/IEC 27001 standard, or not the responsibility of the auditor. References: PECB Candidate Handbook1, page 21-22; ISO
/IEC 27001:2022 (en)2, clauses 6.1, 8.2, 9.1, and 10.2.
質問 # 104
您的組織目前正在尋求 ISO/IEC27001:2022 認證。您剛剛獲得內部 ISMS 審核員資格,ICT 經理希望利用您新獲得的知識來協助他設計資訊安全事件管理流程。
他確定了計劃流程中的以下階段,並要求您確認它們應按哪個順序出現。
正解:
解説:
Explanation:
Step 1 = Incident logging Step 2 = Incident categorisation Step 3 = Incident prioritisation Step 4 = Incident assignment Step 5 = Task creation and management Step 6 = SLA management and escalation Step 7 = Incident resolution Step 8 = Incident closure The order of the stages in the information security incident management process should follow a logical sequence that ensures a quick, effective, and orderly response to the incidents, events, and weaknesses. The order should also be consistent with the best practices and guidance provided by ISO/IEC 27001:2022 and ISO
/IEC 27035:2022. Therefore, the following order is suggested:
* Step 1 = Incident logging: This step involves recording the details of the potential incident, event, or weakness, such as the date, time, source, description, impact, and reporter. This step is important to provide a traceable record of the incident and to facilitate the subsequent analysis and response. This step is related to control A.16.1.1 of ISO/IEC 27001:2022, which requires the organization to establish responsibilities and procedures for the management of information security incidents, events, and weaknesses. This step is also related to clause 6.2 of ISO/IEC 27035:2022, which provides guidance on how to log the incidents, events, and weaknesses.
* Step 2 = Incident categorisation: This step involves determining the type and nature of the incident, event, or weakness, such as whether it is a hardware issue, network issue, or software issue. This step is important to classify the incident and to assign it to the appropriate resolver or team. This step is related to control A.16.1.2 of ISO/IEC 27001:2022, which requires the organization to report information security events and weaknesses as quickly as possible through appropriate management channels. This step is also related to clause 6.3 of ISO/IEC 27035:2022, which provides guidance on how to categorize the incidents, events, and weaknesses.
* Step 3 = Incident prioritisation: This step involves assessing the severity and urgency of the incident, event, or weakness, and classifying it as critical, high, medium, or low. This step is important to prioritize the incident and to allocate the necessary resources and time for the response. This step is related to control A.16.1.3 of ISO/IEC 27001:2022, which requires the organization to assess and prioritize information security events and weaknesses in accordance with the defined criteria. This step is also related to clause 6.4 of ISO/IEC 27035:2022, which provides guidance on how to prioritize the incidents, events, and weaknesses.
* Step 4 = Incident assignment: This step involves passing the incident, event, or weakness to the individual or team who is best suited to resolve it, based on their skills, knowledge, and availability.
This step is important to ensure that the incident is handled by the right person or team and to avoid delays or confusion. This step is related to control A.16.1.4 of ISO/IEC 27001:2022, which requires the organization to respond to information security events and weaknesses in a timely manner, according to the agreed procedures. This step is also related to clause 6.5 of ISO/IEC 27035:2022, which provides guidance on how to assign the incidents, events, and weaknesses.
* Step 5 = Task creation and management: This step involves identifying and coordinating the work needed to resolve the incident, event, or weakness, such as performing root cause analysis, testing solutions, implementing changes, and documenting actions. This step is important to ensure that the incident is resolved effectively and efficiently, and that the actions are tracked and controlled. This step is related to control A.16.1.5 of ISO/IEC 27001:2022, which requires the organization to apply lessons learned from information security events and weaknesses to take corrective and preventive actions. This step is also related to clause 6.6 of ISO/IEC 27035:2022, which provides guidance on how to create and manage the tasks for the incidents, events, and weaknesses.
* Step 6 = SLA management and escalation: This step involves ensuring that any service level agreements (SLAs) are adhered to while the resolution is being implemented, and that the incident is escalated to a higher level of authority or support if a breach looks likely or occurs. This step is important to ensure that the incident is resolved within the agreed time frame and quality, and that any deviations or issues are communicated and addressed. This step is related to control A.16.1.6 of ISO
/IEC 27001:2022, which requires the organization to communicate information security events and weaknesses to the relevant internal and external parties, as appropriate. This step is also related to clause 6.7 of ISO/IEC 27035:2022, which provides guidance on how to manage the SLAs and escalations for the incidents, events, and weaknesses.
* Step 7 = Incident resolution: This step involves applying a temporary workaround or a permanent solution to resolve the incident, event, or weakness, and restoring the normal operation of the information and information processing facilities. This step is important to ensure that the incident is resolved completely and satisfactorily, and that the information security is restored to the desired level.
This step is related to control A.16.1.7 of ISO/IEC 27001:2022, which requires the organization to identify the cause of information security events and weaknesses, and to take actions to prevent their recurrence or occurrence. This step is also related to clause 6.8 of ISO/IEC 27035:2022, which provides guidance on how to resolve the incidents, events, and weaknesses.
* Step 8 = Incident closure: This step involves closing the incident, event, or weakness, after verifying that it has been resolved satisfactorily, and that all the actions have been completed and documented.
This step is important to ensure that the incident is formally closed and that no further actions are required. This step is related to control A.16.1.8 of ISO/IEC 27001:2022, which requires the organization to collect evidence and document the information security events and weaknesses, and the actions taken. This step is also related to clause 6.9 of ISO/IEC 27035:2022, which provides guidance on how to close the incidents, events, and weaknesses.
References:
* ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements1
* PECB Candidate Handbook ISO/IEC 27001 Lead Auditor2
* ISO 27001:2022 Lead Auditor - PECB3
* ISO 27001:2022 certified ISMS lead auditor - Jisc4
* ISO/IEC 27001:2022 Lead Auditor Transition Training Course5
* ISO 27001 - Information Security Lead Auditor Course - PwC Training Academy6
* ISO/IEC 27035:2022, Information technology - Security techniques - Information security incident management
質問 # 105
您正在一家提供醫療保健服務的住宅療養院進行 ISMS 審核。審核計畫的下一步是驗證業務連續性管理流程的資訊安全性。
在審計過程中,您了解到該組織啟動了其中一項業務連續性計劃 (BCP),以確保護理服務在最近的大流行期間繼續進行。您要求服務經理解釋組織如何在業務連續性管理流程中管理資訊安全。
服務經理提出針對大流行的護理服務連續性計劃,並將流程總結如下:
停止接納任何新居民。
70%的行政人員和30%的醫護人員將在家工作。
定期員工自我檢測,包括在來辦公室前 1 天提交陰性檢測報告。
安裝 ABC 的醫療保健行動應用程序,追蹤他們的足跡並出示綠色健康狀況二維碼以供現場檢查。
您詢問服務經理,當員工在家工作時,如何防止非相關家庭成員或利害關係人存取居民的個人資料。服務經理無法回答,並建議安全經理應提供協助。
您想要進一步調查其他領域以收集更多審計證據 選擇將在您的審計追蹤中的三個選項。
- A. 收集更多有關組織如何進行業務風險評估的證據,以評估現有居民離開療養院的速度。 (與第6條相關)
- B. 收集更多證據,說明組織如何確保只有檢測結果為陰性的員工才能進入組織(與控制措施 A.7.2 相關)
- C. 透過訪問更多員工來了解他們對在家工作的感受,收集更多證據。
(與第4.2條相關) - D. 收集更多有關組織如何管理行動裝置上和遠端辦公期間的資訊安全的證據(與控制措施 A.6.7 相關)
- E. 收集更多證據,了解組織提供哪些資源來支持在家工作的員工。 (與第7.1條相關)
- F. 收集更多有關如何以及何時測試業務連續性廣域網路的證據。 (與控制措施 A.5.29 相關)
正解:B、D、F
解説:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control A.5.29 requires an organization to establish and maintain a business continuity management process to ensure the continued availability of information and information systems at the required level following disruptive incidents1. The organization should identify and prioritize critical information assets and processes, assess the risks and impacts of disruptive incidents, develop and implement business continuity plans (BCPs), test and review the BCPs, and ensure that relevant parties are aware of their roles and responsibilities1. Therefore, when verifying the information security of the business continuity management process, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.
Three options that will be in the audit trail for verifying control A.5.29 are:
* Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7): This option is relevant because it can provide evidence of how the organization has implemented appropriate controls to protect the confidentiality, integrity and availability of information and information systems when staff work from home using mobile devices, such as laptops, tablets or smartphones. This is related to control A.6.7, which requires an organization to establish a policy and procedures for teleworking and use of mobile devices1.
* Collect more evidence on how and when the Business Continuity Plan has been tested (Relevant to control A.5.29): This option is relevant because it can provide evidence of how the organization has tested and reviewed the BCPs to ensure their effectiveness and suitability for different scenarios, such as a pandemic. This is related to control A.5.29, which requires an organization to test and review the BCPs at planned intervals or when significant changes occur1.
* Collect more evidence on how the organisation makes sure only staff with a negative test result can enter the organisation (Relevant to control A.7.2): This option is relevant because it can provide evidence of how the organization has implemented appropriate controls to prevent or reduce the risk of infection or transmission of diseases among staff or residents, such as requiring regular staff self-testing and using a health status app. This is related to control A.7.2, which requires an organization to ensure that all employees and contractors are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational policies and procedures in this respect1.
The other options are not relevant to verifying control A.5.29, as they are not related to the control or its requirements. For example:
* Collect more evidence by interviewing more staff about their feeling about working from home (Relevant to clause 4.2): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 4.2, which requires an organization to understand the needs and expectations of interested parties, but not specifically to control A.5.29.
* Collect more evidence on what resources the organisation provides to support the staff working from home (Relevant to clause 7.1): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 7.1, which requires an organization to determine and provide the resources needed for its ISMS, but not specifically to control A.5.29.
* Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home (Relevant to clause 6): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 6, which requires an organization to plan actions to address risks and opportunities for its ISMS, but not specifically to control A.5.29.
References: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements
質問 # 106
情境 6:Sinvestment 是一家提供家庭保險、商業保險和人壽保險的保險公司。該公司成立於北卡羅來納州,但最近在其他地區進行了擴張,包括歐洲和非洲。
Sinvestment 致力於遵守適用於其行業的法律法規,並防止任何資訊安全事件。他們實施了基於 ISO/IEC 27001 的 ISMS 並申請了 ISO/IEC 27001 認證。
認證機構指派兩名審核員進行審核。與Sinvestment簽訂保密協議後。他們開始了審計活動。首先,他們審查了標準要求的文件,包括 ISMS 範圍聲明、資訊安全政策和內部稽核報告。審查過程並不容易,因為儘管 Sinvestment 表示他們已製定文件程序,但並非所有文件都具有相同的格式。
隨後,審計小組對Sinvestment的高階主管進行了多次訪談,以了解他們在ISMS實施中的作用。第一階段審計的所有活動都是遠端進行的,除了根據 Sinvestment 的要求在現場進行的文件資訊審查之外。
在此階段,審計人員發現沒有與資訊安全培訓和意識計劃相關的文件。被問及時,Sinvestment代表表示,公司已為所有員工提供資訊安全培訓課程。第一階段審計讓審計團隊對 Sinvestment 的營運和 ISMS 有了整體了解。
第二階段審核在第一階段審核三週後進行。審計小組觀察到,行銷部門(未包含在審計範圍內)沒有適當的程序來控制員工的存取權限。由於控制員工的存取權限是ISO/IEC 27001的要求之一,並且已包含在公司的資訊安全政策中,因此該問題包含在審計報告中。此外,在第二階段審計中,審計小組觀察到Sinvestment沒有記錄使用者活動日誌。
該公司的程序規定“記錄用戶活動的日誌應保留並定期審查”,但該公司沒有提供任何執行該程序的證據。
在所有審核活動中,審核員透過觀察、訪談、文件化資訊審查、分析和技術驗證來收集資訊和證據。對第一階段和第二階段的所有審核結果進行了分析,審核小組決定發布積極的認證建議。
在第一階段審核中,審核小組發現Sinvestment沒有資訊安全訓練和意識的記錄。在這種情況下,Sinvestment 會做什麼?請參閱場景 6。
- A. 記錄已識別的問題並在認證審核完成後進行更正
- B. 執行新的風險評估流程以了解問題是否需要修改
- C. 在第 2 階段審核之前修正已識別的問題
正解:C
解説:
Sinvestment should correct the identified issue related to the lack of documentation on information security training and awareness before the stage 2 audit. Addressing this gap promptly ensures that the ISMS is fully compliant and effective when assessed in the subsequent audit stage.
References: ISO/IEC 27001:2013, Clause 7.2 (Competence)
質問 # 107
情境 8:EsBank 自 9 月起為愛沙尼亞銀行業提供銀行和金融解決方案
2010年,該公司在全國擁有30家分行和100多台ATM機。
EsBank 在高度監管的行業中運營,必須遵守許多有關資料安全和隱私的法律和法規。他們需要透過實施技術和非技術控制來管理整個營運的資訊安全。 EsBank 決定實施基於 ISO/IEC 的 ISMS
27001,因為它提供了更好的安全性、更多的風險控制以及符合法律法規的關鍵要求。
在成功實施 ISMS 九個月後,EsBank 決定由獨立認證機構根據 ISO/IEC 27001 對其 ISMS 進行認證。
第一階段和第二階段審核是共同進行的,發現了一些不符合項。第一個不合格之處與 EsBank 的資訊標籤有關。該公司有資訊分類方案,但沒有資訊標籤程序。因此,需要相同保護等級的文件將被貼上不同的標籤(有時為機密,有時為敏感)。
考慮到所有文件也以電子方式存儲,不合格情況也影響了媒體處理。審計小組透過抽樣得出結論,200 個可移動媒體中有 50 個儲存了被錯誤分類為機密的敏感資訊。根據資訊分類方案,允許將機密資訊儲存在可移動媒體中,而嚴格禁止儲存敏感資訊。這標誌著另一個不合格之處。
他們起草了不合格報告,並與 EsBank 代表討論了審計結論,代表同意在兩個月內針對發現的不合格問題提交行動計劃。
EsBank 接受了審計組組長提出的解決方案。他們根據實體和電子格式的分類方案起草了資訊標籤程序,解決了不合格問題。可移動媒體程式也基於此程式進行了更新。
審計完成兩週後,EsBank 提交了總體行動計畫。在那裡,他們解決了檢測到的不合格問題以及採取的糾正措施,但沒有包括有關受影響的系統、控製或操作的任何詳細資訊。審核小組評估了該行動計劃並得出結論,該計劃將解決不合格問題。然而,EsBank 收到了不利的認證建議。
根據上述場景,回答以下問題:
根據情境8,EsBank 提交了總體行動計畫。這是可以接受的嗎?
- A. 不,行動計畫應該只解決一個不合格問題
- B. 是的,具有相同根本原因的不符合項應該有一個總體行動計劃
- C. 不,一般行動計畫無法修正不合格項
正解:C
解説:
No, a general action plan is not acceptable in this context because it lacks specific details on systems, controls, or operations impacted by the nonconformities. An effective action plan should detail the specific corrective actions for each nonconformity to ensure comprehensive resolution and prevent recurrence.
質問 # 108
------------- 與其他重要業務資產一樣,該資產對組織有價值,因此需要受到保護。
- A. 數據
- B. 基礎設施
- C. 安全
- D. 訊息
正解:D
解説:
Information is an asset like other important business assets, as it has value to an organization and consequently needs to be protected. Information can be in any form, such as electronic, paper, or verbal. Information security is the protection of information from unauthorized access, use, disclosure, modification, or destruction2. References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA
質問 # 109
下列哪兩個短語是與第一方審核相關的「目標」?
- A. 應用監理要求
- B. 為認證機構準備審核報告
- C. 確認管理系統的範圍準確
- D. 更新管理策略
- E. 按時完成審核
- F. 應用國際標準
正解:C、D
解説:
A first-party audit is an internal audit conducted by the organization itself or by an external party on its behalf. The objectives of a first-party audit are to: 12
* Confirm the scope of the management system is accurate, i.e., it covers all the processes, activities, locations, and functions that are relevant to the information security objectives and requirements of the organization.
* Update the management policy, i.e., review and revise the policy statement, roles and responsibilities, and objectives and targets of the information security management system (ISMS) based on the audit findings and feedback.
The other phrases are not objectives of a first-party audit, but rather:
* Apply international standards: This is a requirement for the ISMS, not an objective of the audit. The ISMS must conform to the ISO/IEC 27001 standard and any other applicable standards or regulations12
* Prepare the audit report for the certification body: This is an activity of a third-party audit, not a first- party audit. A third-party audit is an external audit conducted by an independent certification body to verify the conformity and effectiveness of the ISMS and to issue a certificate of compliance12
* Complete the audit on time: This is a performance indicator, not an objective of the audit. The audit should be completed within the planned time frame and budget, but this is not the primary purpose of the audit12
* Apply regulatory requirements: This is also a requirement for the ISMS, not an objective of the audit. The ISMS must comply with the legal and contractual obligations of the organization regarding information security12 References:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
質問 # 110
以下是「誠信」的目的,這是資訊安全的基本組成部分之一
- A. 保障資產準確性和完整性的屬性。
- B. 資訊不會提供或揭露給未經授權的個人的屬性
- C. 根據授權實體的要求可存取和使用的屬性。
- D. 資訊不會提供或揭露給未經授權的個人的屬性
正解:A
解説:
Integrity is one of the basic components of information security, along with confidentiality and availability.
Integrity means that information is safeguarded from unauthorized or accidental changes that could affect its accuracy and completeness. Integrity ensures that information is reliable and trustworthy3. References: ISO
/IEC 27001:2022 Lead Auditor Training Course - BSI
質問 # 111
當使用者在緩衝區中新增的資料超出其儲存容量所允許的數量時,資料處理工具就會崩潰。該事件是由於該工具無法綁定檢查數組而引起的。這是什麼樣的漏洞?
- A. 固有漏洞,因為無法綁定檢查數組是資料處理工具的特性
- B. 外在漏洞,因為無法綁定檢查陣列與外部因素有關
- C. 無,工具無法綁定檢查陣列不是漏洞,而是威脅
正解:A
解説:
An intrinsic vulnerability refers to a weakness that is inherent to a system or tool, such as a data processing tool's inability to perform bound checking on arrays. This characteristic makes the system susceptible to issues like buffer overflows, which can lead to crashes or other types of failures. References: = The concept of intrinsic vulnerability is based on the understanding that certain vulnerabilities are built into the system and are not influenced by external factors. This aligns with the general principles of information security management systems and the content typically covered in ISMS ISO/IEC 27001 Lead Auditor training and certification programs
質問 # 112
從以下選項中選擇一個最能完成句子的單字:
要用單字完成句子,請點擊要完成的空白部分,使其以紅色突出顯示,然後從下面的選項中點擊應用程式文字。或者,您可以將該選項拖曳到適當的空白部分。
正解:
解説:
Explanation:
The purpose of a management system audit is to evaluate the performance of an organization's management system.
A management system audit is an independent and systematic analysis and evaluation of a company's overall activities and performances1. It is a valuable tool used to determine the efficiency, functions, accomplishments and achievements of the company1. A management system audit can be conducted against a range of audit criteria, including (but not limited to) requirements set of in existing ISO standards2.
According to ISO 19011:2018, which provides guidelines for auditing management systems, the purpose of an audit is to enable the auditor to provide an audit conclusion that is related to the audit objectives2. The audit objectives are defined by the audit client and may include determining the extent of conformity or nonconformity of the audited management system against the audit criteria, evaluating the ability of the audited management system to ensure that the organization meets applicable statutory, regulatory and contractual requirements, identifying potential improvement opportunities for the audited management system, and facilitating continual improvement of the audited management system2.
Therefore, the correct answer is evaluate, as it best describes the purpose of a management system audit. The other options are not correct because they are not specific enough or do not reflect the intended outcome of an audit. For example, improve implies that the audit itself will enhance the performance of the management system, which is not necessarily true. Manage implies that the audit will control or direct the management system, which is not its role. Research implies that the audit will generate new knowledge or information about the management system, which is not its primary aim.
質問 # 113
......
オンライン問題傑作練習用であなたの試験を合格してみせます:https://www.goshiken.com/PECB/ISO-IEC-27001-Lead-Auditor-CN-mondaishu.html
練習できるISO-IEC-27001-Lead-Auditor-CNにはGoShiken明確な練習であなたをPECB Certified ISO/IEC 27001 Lead Auditor exam (ISO-IEC-27001-Lead-Auditor中文版)試験合格させます:https://drive.google.com/open?id=1GSYQPU6Rpa9JZeoK9-b0hz3WeqAGwVSW