2025年最新の保証された成功できるISO-IEC-27001-Lead-Auditor問題集でPECBのPDF問題
格別な練習PECB Certified ISO/IEC 27001 Lead Auditor exam問題集で最速合格させます
PECB ISO-IEC-27001-LEAD-AUDITOR認定は、グローバルに認識されており、雇用主によって高く評価されています。この認定は、個人が組織のISMを効果的に監査し、ISO/IEC 27001標準に準拠していることを保証するために必要なスキルと知識を持っていることを示しています。この認定は、ITマネージャー、セキュリティコンサルタント、監査人など、情報セキュリティ管理の分野で働く専門家にとって特に価値があります。
質問 # 130
Scenario 3: Rebuildy is a construction company located in Bangkok.. Thailand, that specializes in designing, building, and maintaining residential buildings. To ensure the security of sensitive project data and client information, Rebuildy decided to implement an ISMS based on ISO/IEC 27001. This included a comprehensive understanding of information security risks, a defined continual improvement approach, and robust business solutions.
The ISMS implementation outcomes are presented below
* Information security is achieved by applying a set of security controls and establishing policies, processes, and procedures.
* Security controls are implemented based on risk assessment and aim to eliminate or reduce risks to an acceptable level.
* All processes ensure the continual improvement of the ISMS based on the plan-do-check-act (PDCA) model.
* The information security policy is part of a security manual drafted based on best security practices Therefore, it is not a stand-alone document.
* Information security roles and responsibilities have been clearly stated in every employees job description
* Management reviews of the ISMS are conducted at planned intervals.
Rebuildy applied for certification after two midterm management reviews and one annual internal audit Before the certification audit one of Rebuildy's former employees approached one of the audit team members to tell them that Rebuildy has several security problems that the company is trying to conceal. The former employee presented the documented evidence to the audit team member Electra, a key client of Rebuildy, also submitted evidence on the same issues, and the auditor determined to retain this evidence instead of the former employee's. The audit team member remained in contact with Electra until the audit was completed, discussing the nonconformities found during the audit. Electra provided additional evidence to support these findings.
At the beginning of the audit, the audit team interviewed the company's top management They discussed, among other things, the top management's commitment to the ISMS implementation. The evidence obtained from these discussions was documented in written confirmation, which was used to determine Rebuildy's conformity to several clauses of ISO/IEC 27001 The documented evidence obtained from Electra was attached to the audit report, along with the nonconformities report. Among others, the following nonconformities were detected:
* An instance of improper user access control settings was detected within the company's financial reporting system.
* A stand-alone information security policy has not been established. Instead, the company uses a security manual drafted based on best security practices.
After receiving these documents from the audit team, the team leader met Rebuildy's top management to present the audit findings. The audit team reported the findings related to the financial reporting system and the lack of a stand-alone information security policy. The top management expressed dissatisfaction with the findings and suggested that the audit team leader's conduct was unprofessional, implying they might request a replacement. Under pressure, the audit team leader decided to cooperate with top management to downplay the significance of the detected nonconformities. Consequently, the audit team leader adjusted the report to present a more favorable view, thus misrepresenting the true extent of Rebuildy's compliance issues.
Based on the scenario above, answer the following question:
Based on Scenario 3, the audit team used information obtained from interviews with top management to determine Rebuildy's conformity to several ISO/IEC 27001 clauses. Is this acceptable?
- A. Yes, interviews with top management are the most reliable form of audit evidence and can be used to determine conformity to the standard without further verification
- B. Yes, the audit team obtained verbal evidence by written confirmations from the top management, which can be used to determine conformity to the standard
- C. No, the audit team should have used only documentary evidence, such as policies and procedures, to determine conformity
正解:B
解説:
Comprehensive and Detailed In-Depth
B . Correct Answer:
Audit evidence can come from interviews, observations, and documentation.
Verbal evidence from top management is acceptable if documented and confirmed in writing.
A . Incorrect:
ISO 19011 allows verbal evidence as long as it is substantiated.
C . Incorrect:
Interviews alone are not sufficient-additional verification is required.
Relevant Standard Reference:
質問 # 131
Please match the following situations to the type of audit required.
正解:
解説:
Explanation
* Top management requests auditors from the organisation's compliance department to audit the production process in order to ensure the final product meets quality requirements = First-party audit
* Auditors from the buyer's organisation audit their raw material supplier to ensure the supply fulfils the order and contract = Second-party audit
* Auditors from an independent certification body conduct an audit of the organisation to verify conformity with an ISO Standard for certification purposes = Third-party audit
* The organisation has been audited against two management system standards in one audit = Combined audit Explanation: According to the ISO/IEC 27001 standard, there are three main categories of audits: internal, external, and certification1. An internal audit, also known as a first-party audit, is an audit conducted by the organisation itself, or by an external party on its behalf, for management review and other internal purposes12. An external audit, also known as a second-party audit, is an audit conducted by a customer or other interested party on a supplier or contractor to verify compliance with contractual or other requirements12. A certification audit, also known as a third-party audit, is an audit conducted by an independent certification body to verify conformity with an ISO standard for certification purposes12. A combined audit is an audit where two or more management system standards are audited together3.
References: 1: PECB Candidate Handbook - ISO/IEC 27001 Lead Auditor, page 192: ISO 27001 Audit Types and How They are Conducted23: The Four ISO 27001 Audit Categories, Explained4
質問 # 132
An auditor of organisation A performs an audit of supplier B. Which two of the following actions is likely to represent a breach of confidentiality by the auditor after having identified findings in B's information security management system?
- A. Shares the findings with B's Information Security Manager
- B. Shares the findings with A's supplier evaluation team
- C. Shares the findings with B's other customers
- D. Shares the findings with other relevant managers in A
- E. Shares the findings with other relevant managers in B
- F. Shares the findings with B's certification body
正解:C、D
解説:
According to the PECB Candidate Handbook1, one of the principles of auditing is confidentiality, which means that auditors should respect the confidentiality of information obtained during the audit and not disclose it to unauthorized parties. The handbook also states that auditors should only report audit results to those who have a legitimate need to know, such as the client, the auditee, and the certification body. Therefore, sharing the findings with other relevant managers in A or B's other customers would be a breach of confidentiality, as they are not directly involved in the audit process or the information security management system of B.
Sharing the findings with B's Information Security Manager or other relevant managers in B would be appropriate, as they are part of the auditee organization and responsible for the implementation and improvement of the ISMS. Sharing the findings with A's supplier evaluation team or B's certification body would also be acceptable, as they have a legitimate need to know the audit results for the purpose of supplier selection or certification, respectively. References: 1: PECB Candidate Handbook - ISO 27001 Lead Auditor, pages 7-8.
質問 # 133
As an auditor, you have noticed that ABC Inc. has established a procedure to manage the removable storage media. The procedure is based on the classification scheme adopted by ABC Inc. Thus, if the information stored is classified as "confidential," the procedure applies. On the other hand, the information that is classified as "public," does not have confidentiality requirements: thus, only a procedure for ensuring its integrity and availability applies. What type of audit finding is this?
- A. Conformity
- B. Nonconformity
- C. Anomaly
正解:A
解説:
This scenario represents a conformity because ABC Inc. has implemented procedures for managing removable storage media that align with the classification scheme of the information stored. When information is classified as "confidential," more stringent procedures apply, whereas for "public" information, the procedures focus only on integrity and availability, following the organization's defined information classification policy.
References: ISO/IEC 27001:2013, Clause A.8.2 (Information classification)
質問 # 134
Stages of Information
- A. creation, distribution, use, maintenance, disposition
- B. creation, evolution, maintenance, use, disposition
- C. creation, distribution, maintenance, disposition, use
- D. creation, use, disposition, maintenance, evolution
正解:A
解説:
The stages of information are creation, distribution, use, maintenance, and disposition. These are the phases that information goes through during its lifecycle, from the moment it is generated to the moment it is destroyed or archived. Each stage of information has different security requirements and risks, and should be managed accordingly. Creation, evolution, maintenance, use, and disposition are not the correct stages of information, as evolution is not a distinct stage, but a process that can occur in any stage. Creation, use, disposition, maintenance, and evolution are not the correct stages of information, as they are not in the right order. Creation, distribution, maintenance, disposition, and use are not the correct stages of information, as they are not in the right order. Reference: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 32. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 12.
質問 # 135
After a fire has occurred, what repressive measure can be taken?
- A. Buying in a proper fire insurance policy
- B. Extinguishing the fire after the fire alarm sounds
- C. Repairing all systems after the fire
正解:B
解説:
A repressive security measure is a measure that aims to stop or limit an ongoing incident from causing further harm, or to restore normal operations as soon as possible. A repressive security measure can be a policy, a procedure, a device, a technique or an action that responds to an incident and mitigates its consequences. Extinguishing the fire after the fire alarm sounds is an example of a repressive security measure, because it stops the fire from spreading and damaging more assets or endangering more people. ISO/IEC 27001:2022 defines repressive control as "control that modifies risk by reducing the consequences of an unwanted incident" (see clause 3.38). Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, [What is Repressive Security?]
質問 # 136
Your organisation is currently seeking ISO/IEC27001:2022 certification. You have just qualified as an Internal ISMS auditor and the ICT Manager wants to use your newly acquired knowledge to assist him with the design of an information security incident management process.
He identifies the following stages in his planned process and asks you to confirm which order they should appear in.
正解:
解説:
Reference:
ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements1 PECB Candidate Handbook ISO/IEC 27001 Lead Auditor2 ISO 27001:2022 Lead Auditor - PECB3 ISO 27001:2022 certified ISMS lead auditor - Jisc4 ISO/IEC 27001:2022 Lead Auditor Transition Training Course5 ISO 27001 - Information Security Lead Auditor Course - PwC Training Academy6 ISO/IEC 27035:2022, Information technology - Security techniques - Information security incident management
質問 # 137
Objectives, criteria, and scope are critical features of a third-party ISMS audit. Which two issues are audit objectives?
- A. Review organisation efficiency
- B. Confirm sites operating the ISMS
- C. Determine the scope of the ISMS
- D. Fulfil the audit plan
- E. Evaluate customer processes and functions
- F. Assess conformity with ISO/IEC 27001 requirements
正解:B、F
解説:
Audit objectives are the specific purposes or goals that the customer or the certification body wants to achieve through the audit. They define what the audit intends to accomplish and provide the basis for planning and conducting the audit. Audit objectives may vary depending on the type, scope, and criteria of the audit, but they should be clear, measurable, and achievable.
Some examples of audit objectives for a third-party ISMS audit are:
* Assess conformity with ISO/IEC 27001 requirements: This objective means that the audit aims to verify that the organisation's ISMS meets the requirements of the ISO/IEC 27001 standard, which specifies the best practices for establishing, implementing, maintaining, and improving an information security management system. The audit will evaluate the organisation's ISMS documentation, processes, controls, and performance against the standard's clauses and annex A controls.
* Confirm sites operating the ISMS: This objective means that the audit aims to confirm that the organisation's ISMS covers all the relevant sites or locations where the organisation operates or provides its services. The audit will verify that the scope of the ISMS is accurate and consistent with the organisation's context, objectives, and risks.
The other phrases are not audit objectives, but rather:
* Evaluate customer processes and functions: This is not an audit objective, but rather a possible audit criterion or a requirement that the organisation's processes and functions should meet. The audit criterion is the reference against which the audit evidence is compared to determine conformity or nonconformity. The audit criterion may include ISO/IEC 27001 requirements, customer requirements, or other applicable standards or regulations.
* Fulfil the audit plan: This is not an audit objective, but rather a task or an activity that the auditor performs during the audit. The audit plan is a document that describes the arrangements and details of the audit, such as the objectives, scope, criteria, schedule, roles, and responsibilities. The auditor should follow and fulfil the audit plan to ensure that the audit is conducted effectively and efficiently.
* Determine the scope of the ISMS: This is not an audit objective, but rather a prerequisite or an input for conducting the audit. The scope of the ISMS is the extent and boundaries of the information security management system within the organisation. It defines what processes, activities, locations, assets, and stakeholders are included or excluded from the ISMS. The scope of the ISMS should be determined by the organisation before applying for certification or undergoing an audit.
* Review organisation efficiency: This is not an audit objective, but rather a possible outcome or a result of conducting an audit. The organisation efficiency is a measure of how well the organisation uses its
* resources to achieve its goals and objectives. The audit may help review and improve the organisation efficiency by identifying strengths, weaknesses, opportunities, and threats in its information security management system.
References:
* ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB
* ISO 19011:2018 Guidelines for auditing management systems [Section 5.3.1]
質問 # 138
Stages of Information
- A. creation, distribution, use, maintenance, disposition
- B. creation, evolution, maintenance, use, disposition
- C. creation, distribution, maintenance, disposition, use
- D. creation, use, disposition, maintenance, evolution
正解:A
解説:
Explanation
The stages of information are creation, distribution, use, maintenance, and disposition. These are the phases that information goes through during its lifecycle, from the moment it is generated to the moment it is destroyed or archived. Each stage of information has different security requirements and risks, and should be managed accordingly. Creation, evolution, maintenance, use, and disposition are not the correct stages of information, as evolution is not a distinct stage, but a process that can occur in any stage. Creation, use, disposition, maintenance, and evolution are not the correct stages of information, as they are not in the right order. Creation, distribution, maintenance, disposition, and use are not the correct stages of information, as they are not in the right order. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 32. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 12.
質問 # 139
Scenario 4: SendPay is a financial company that provides its services through a network of agents and financial institutions. One of their main services is transferring money worldwide. SendPay, as a new company, seeks to offer top quality services to its clients. Since the company offers international transactions, it requires from their clients to provide personal information, such as their identity, the reason for the transactions, and other details that might be needed to complete the transaction. Therefore, SendPay has implemented security measures to protect their clients' information, including detecting, investigating, and responding to any information security threats that may emerge. Their commitment to offering secure services was also reflected during the ISMS implementation where the company invested a lot of time and resources.
Last year, SendPay unveiled their digital platform that allows money transactions through electronic devices, such as smartphones or laptops, without requiring an additional fee. Through this platform, SendPay's clients can send and receive money from anywhere and at any time. The digital platform helped SendPay to simplify the company's operations and further expand its business. At the time, SendPay was outsourcing its software operations, hence the project was completed by the software development team of the outsourced company. The same team was also responsible for maintaining the technology infrastructure of SendPay.
Recently, the company applied for ISO/IEC 27001 certification after having an ISMS in place for almost a year. They contracted a certification body that fit their criteri a. Soon after, the certification body appointed a team of four auditors to audit SendPay's ISMS.
During the audit, among others, the following situations were observed:
1. The outsourced software company had terminated the contract with SendPay without prior notice. As a result, SendPay was unable to immediately bring the services back in-house and its operations were disrupted for five days. The auditors requested from SendPay's representatives to provide evidence that they have a plan to follow in cases of contract terminations. The representatives did not provide any documentary evidence but during an interview, they told the auditors that the top management of SendPay had identified two other software development companies that could provide services immediately if similar situations happen again.
2. There was no evidence available regarding the monitoring of the activities that were outsourced to the software development company. Once again, the representatives of SendPay told the auditors that they regularly communicate with the software development company and that they are appropriately informed for any possible change that might occur.
3. There was no nonconformity found during the firewall testing. The auditors tested the firewall configuration in order to determine the level of security provided by these services. They used a packet analyzer to test the firewall policies which enabled them to check the packets sent or received in real-time.
Based on this scenario, answer the following question:
Why could SendPay not restore their services back in-house after the contract termination? Refer to scenario 4.
- A. Because SendPay lacked a comprehensive business continuity plan with potential impact of contract terminations
- B. Because the outsourced software company terminated the contract with SendPay without prior notice
- C. Because SendPay did not monitor the technology infrastructure of the outsourced software operations
正解:A
解説:
SendPay's inability to restore their services immediately after the contract termination indicates a lack of a comprehensive business continuity plan that addresses the potential impacts of such terminations. This oversight can result in significant operational disruptions, as observed.
質問 # 140
During a Stage 1 audit opening meeting, the Management System Representative (MSR) asks to extend the audit scope to include a new site overseas which they have expanded into since the certification application was made.
Select two options for how the auditor should respond.
- A. Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area
- B. Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned
- C. Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures
- D. Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit
- E. Advise the MSR that, within the existing scope, the new work area can be included without any problem
- F. Suggest that the MSR cancels the audit contract and reapplies for the new situation
正解:C、D
解説:
The correct options for how the auditor should respond are:
* A. Advise the MSR that an extension of the scope may be incorporated but will have to go through established procedures
* D. Determine whether the Management System covers the processes at the new site and, if so, proceed with the audit These options are consistent with the ISO/IEC 27006:2015 standard, which states that any changes to the scope of certification should be notified by the client to the certification body, and that the certification body should evaluate and decide on these changes in accordance with its procedures1. The auditor should also verify that the ISMS is implemented and maintained at all sites included in the scope of certification1.
The other options are not appropriate for how the auditor should respond, because:
* B. Advise the MSR that the audit scope has been determined based on their initial application so the audit has to proceed as planned: This option is too rigid and does not allow for any flexibility or adaptation to the client's situation. The auditor should be open to consider any changes to the scope of certification that may have occurred since the initial application, as long as they are properly notified and evaluated by the certification body.
* C. Suggest that the MSR cancels the audit contract and reapplies for the new situation: This option is too drastic and unnecessary, as it would cause delays and costs for both the client and the certification body.
The auditor should not suggest that the client cancels the audit contract, but rather that they follow the established procedures for requesting and approving an extension of the scope of certification.
* E. Advise the MSR that, within the existing scope, the new work area can be included without any problem: This option is too lenient and does not ensure that the new work area meets the requirements of ISO/IEC 27001 and the ISMS. The auditor should not assume that the new work area can be included within the existing scope without any problem, but rather that they need to verify that the ISMS is implemented and maintained at the new site, and that any changes to the scope of certification are approved by the certification body.
* F. Confirm that the auditor will advise the auditee that the audit scope will be revised to include the new work area: This option is too presumptuous and does not respect the authority of the certification body.
The auditor should not confirm that they will revise the audit scope to include the new work area, but rather that they will advise the certification body of the client's request for an extension of the scope of certification, and wait for their decision.
質問 # 141
Select the words that best complete the sentence:
正解:
解説:
Explanation:
"In a third-party audit an observation can indicate conformity at organisation is not required to take action." According to the PECB Candidate Handbook1, an observation is "a statement of fact made during an audit and substantiated by objective evidence". An observation can indicate conformity or nonconformity, but it does not require any corrective action from the audited organisation. A recommendation, on the other hand, is "a suggestion for improvement based on an observation". A recommendation may or may not be accepted by the audited organisation.
According to the Fundamentals - Third parties2, a third-party audit is "an audit conducted by an external organisation that has the legal right to audit an organisation's processes and procedures". A third-party audit can result in a finding, which is "a conclusion reached by the auditor based on the audit evidence collected". A finding can be positive or negative, depending on whether the audited organisation meets the audit criteria or not. A nonconformity is "a finding that indicates the non-fulfilment of a requirement". A nonconformity requires corrective action from the audited organisation to prevent recurrence.
質問 # 142
PayBell, a finance corporation, is using an accounting software to track financial transactions. The software can be accessed from anywhere with an internet connection. It also enables PayBell's employees to easily collaborate with each other to ensure accurate financial reporting. What type of services is PayBell using?
- A. Cloud computing
- B. Machine learning
- C. Artificial intelligence
正解:A
質問 # 143
Scenario 6: Sinvestment is an insurance company that offers home, commercial, and life insurance. The company was founded in North Carolina, but have recently expanded in other locations, including Europe and Africa.
Sinvestment is committed to complying with laws and regulations applicable to their industry and preventing any information security incident. They have implemented an ISMS based on ISO/IEC 27001 and have applied for ISO/IEC 27001 certification.
Two auditors were assigned by the certification body to conduct the audit. After signing a confidentiality agreement with Sinvestment. they started the audit activities. First, they reviewed the documentation required by the standard, including the declaration of the ISMS scope, information security policies, and internal audits reports. The review process was not easy because, although Sinvestment stated that they had a documentation procedure in place, not all documents had the same format.
Then, the audit team conducted several interviews with Sinvestment's top management to understand their role in the ISMS implementation. All activities of the stage 1 audit were performed remotely, except the review of documented information, which took place on-site, as requested by Sinvestment.
During this stage, the auditors found out that there was no documentation related to information security training and awareness program. When asked, Sinvestment's representatives stated that the company has provided information security training sessions to all employees. Stage 1 audit gave the audit team a general understanding of Sinvestment's operations and ISMS.
The stage 2 audit was conducted three weeks after stage 1 audit. The audit team observed that the marketing department (which was not included in the audit scope) had no procedures in place to control employees' access rights. Since controlling employees' access rights is one of the ISO/IEC 27001 requirements and was included in the information security policy of the company, the issue was included in the audit report. In addition, during stage 2 audit, the audit team observed that Sinvestment did not record logs of user activities.
The procedures of the company stated that "Logs recording user activities should be retained and regularly reviewed," yet the company did not present any evidence of the implementation of such procedure.
During all audit activities, the auditors used observation, interviews, documented information review, analysis, and technical verification to collect information and evidence. All the audit findings during stages 1 and 2 were analyzed and the audit team decided to issue a positive recommendation for certification.
During stage 1 audit, the audit team found out that Sinvestment did not have records on information security training and awareness. What Sinvestment do in this case? Refer to scenario 6.
- A. Correct the identified issue before the stage 2 audit
- B. Perform a new risk assessment process to understand whether the issue needs modification or not
- C. Document the identified issue and correct it after the certification audit is completed
正解:A
解説:
Sinvestment should correct the identified issue related to the lack of documentation on information security training and awareness before the stage 2 audit. Addressing this gap promptly ensures that the ISMS is fully compliant and effective when assessed in the subsequent audit stage.
References: ISO/IEC 27001:2013, Clause 7.2 (Competence)
質問 # 144
You are conducting a third-party surveillance audit when another member of the audit team approaches you seeking clarification. They have been asked to assess the organisation's application of control 5.7 - Threat Intelligence. They are aware that this is one of the new controls introduced in the 2022 edition of ISO/IEC
27001, and they want to make sure they audit the control correctly.
They have prepared a checklist to assist them with their audit and want you to confirm that their planned activities are aligned with the control's requirements.
Which three of the following options represent valid audit trails?
- A. I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements
- B. I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets
- C. I will ensure that the organisation's risk assessment process begins with effective threat intelligence
- D. I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team
- E. I will speak to top management to make sure all staff are aware of the importance of reporting threats
- F. I will review how information relating to information security threats is collected and evaluated to produce threat intelligence
- G. I will determine whether internal and external sources of information are used in the production of threat intelligence
- H. I will review the organisation's threat intelligence process and will ensure that this is fully documented
正解:B、G、H
解説:
Explanation
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control 5.7 requires an organization to establish and maintain a threat intelligence process to identify and evaluate information security threats that are relevant to its ISMS scope and objectives1. The organization should use internal and external sources of information, such as vulnerability databases, threat feeds, industry reports, etc., to produce threat intelligence that can be used to support risk assessment and treatment, as well as other information security activities1. Therefore, when auditing the organization's application of control 5.7, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.
Three options that represent valid audit trails for verifying control 5.7 are:
* I will review the organisation's threat intelligence process and will ensure that this is fully documented:
This option is valid because it can provide evidence of how the organization has established and maintained a threat intelligence process that is consistent with its ISMS scope and objectives. It can also verify that the process is documented according to clause 7.5 of ISO/IEC 27001:20221.
* I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets: This option is valid because it can provide evidence of how the organization has used threat intelligence to support its risk assessment and treatment, as well as other information security activities, such as incident response, awareness, or monitoring. It can also verify that the organization has achieved its information security objectives according to clause 6.2 of ISO/IEC 27001:20221.
* I will determine whether internal and external sources of information are used in the production of threat intelligence: This option is valid because it can provide evidence of how the organization has used various sources of information, such as vulnerability databases, threat feeds, industry reports, etc., to produce threat intelligence that is relevant and reliable. It can also verify that the organization has complied with the requirement of control 5.7 of ISO/IEC 27001:20221.
The other options are not valid audit trails for verifying control 5.7, as they are not related to the control or its requirements. For example:
* I will speak to top management to make sure all staff are aware of the importance of reporting threats:
This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding information security awareness or communication, but not specifically to control 5.7.
* I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also contradict the requirement for auditor independence and objectivity, as recommended by ISO 19011:20182, which provides guidelines for auditing management systems.
* I will ensure that the organisation's risk assessment process begins with effective threat intelligence:
This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also imply a prescriptive approach to risk assessment that is not consistent with ISO/IEC 27005:20183, which provides guidelines for information security risk management.
* I will review how information relating to information security threats is collected and evaluated to produce threat intelligence: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also be too vague or broad to be an effective audit trail, as it does not specify what criteria or methods are used for collecting and evaluating information.
* I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding management review or performance evaluation, but not specifically to control 5.7.
References: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, ISO 19011:2018 - Guidelines for auditing management systems, ISO/IEC 27005:2018 - Information technology - Security techniques - Information security risk management
質問 # 145
In the context of a management system audit, please identify the sequence of a typical process of collecting and verifying information. The first one has been done for you.
正解:
解説:
Explanation:
A screenshot of a computer Description automatically generated
* Identifying the source of information (already given)
* Gathering audit evidence: This involves collecting information from various sources such as documents, records, interviews, and observations.
* Sampling the available data: Due to the vast amount of information available, auditors typically use sampling techniques to select representative data for closer scrutiny.
* Verifying objective evidence: This involves checking the accuracy, completeness, and reliability of the collected evidence.
* Evaluating evidence against the audit criteria: Auditors compare the collected evidence to the established criteria (e.g., standards, policies, procedures) to assess compliance and effectiveness.
* Recording audit findings: This involves documenting the results of the evaluation, including observations, conclusions, and recommendations.
* Making audit conclusions: Based on the recorded findings, auditors formulate overall conclusions about the status of the management system.
Therefore, the correct sequence is:
1. Identifying the source of information 2. Gathering audit evidence 3. Sampling the available data 4.
Verifying objective evidence 5. Evaluating evidence against the audit criteria 6. Recording audit findings 7.
Making audit conclusions
質問 # 146
What is social engineering?
- A. The organization planning an activity for welfare of the neighborhood
- B. A group planning for a social activity in the organization
- C. Creating a situation wherein a third party gains confidential information from you
正解:C
解説:
Social engineering is a technique that involves creating a situation wherein a third party gains confidential information from you by manipulating your trust or exploiting your weaknesses. Social engineering can take various forms, such as phishing emails, phone calls, impersonation, or baiting. Social engineering is a common threat to information security, as it targets the human factor rather than the technical defenses. Reference: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 26. : ISO/IEC 27001 LEAD AUDITOR - PECB, page 13.
質問 # 147
The audit team leader decided to involve a technical expert as part of the audit team, so they could fill the potential gaps of the audit team members' knowledge. What should the audit team leader consider in this case?
- A. The technical expert is allowed to take decisions related to the audit process when it is needed
- B. The technical expert should discuss their concerns directly with the certification body, and not with the auditor
- C. The technical expert can communicate their audit findings to the auditee only through one of the audit team members
正解:C
解説:
The technical expert can communicate their audit findings to the auditee only through one of the audit team members. This ensures that communications remain coordinated and that the audit team maintains control over the audit process.
References: ISO 19011:2018, Guidelines for auditing management systems
質問 # 148
......
ISO-IEC-27001-Lead-Auditor試験問題集と保証された成功率:https://www.goshiken.com/PECB/ISO-IEC-27001-Lead-Auditor-mondaishu.html
最高品質のPECB ISO-IEC-27001-Lead-Auditor試験問題:https://drive.google.com/open?id=1jJqv0tk73kBjogYAW4Zms34L6gT1PSVH