• ホーム
  • ブログ
  • [2025年04月] 更新されたのはISO-IEC-27001-Lead-Implementer問題集PDFオンラインエンジン [Q29-Q46]

[2025年04月] 更新されたのはISO-IEC-27001-Lead-Implementer問題集PDFオンラインエンジン [Q29-Q46]

Share

[2025年04月] 更新されたのはPECB ISO-IEC-27001-Lead-Implementer問題集PDFオンラインエンジン

ISO-IEC-27001-Lead-Implementer.PDFで問題解答PDFサンプル問題は信頼され続ける


PECB ISO-IEC-27001-Lead-Implementer試験の準備には、トレーニングコース、学習資料、練習問題など、PECBが提供する多数のリソースを活用することができます。これらのリソースは、候補者が試験に合格し、ISO / IEC 27001リードインプリメンターとして認定されるために必要な知識とスキルを開発するのに役立ちます。さらに、候補者は、ISMSでの実務経験やISO / IEC 27001標準の実装に取り組むことで得られる経験を活かすことができます。


PECB 認定 ISO/IEC 27001 リードインプリメンターとして認定を受けることは、個人が ISO/IEC 27001 標準に基づく効果的な ISMS を実装および維持するために必要な知識とスキルを持っていることを雇用主やクライアントに示すことができます。この認定は、情報セキュリティ分野の専門家にとって新しいキャリアの機会を開拓し、収益性を高めることができます。

 

質問 # 29
Kyte. a company that has an online shopping website, has added a Q&A section to its website; however, its Customer Service Department almost never provides answers to users' questions. Which principle of an effective communication strategy has Kyte not followed?

  • A. Appropriateness
  • B. Clarity
  • C. Responsiveness

正解:C

解説:
In the scenario described, Kyte's failure to provide answers to users' questions in the Q&A section of its online shopping website demonstrates a lack of responsiveness. Responsiveness is a key principle of an effective communication strategy, especially in customer service. It involves timely and appropriate reactions to inquiries and feedback, ensuring that customers' concerns and queries are addressed promptly. By not responding, Kyte is not adhering to this principle, potentially affecting customer satisfaction and trust.


質問 # 30
Scenario 7: InfoSec, based in Boston, MA, is a multinational corporation offering professional electronics, gaming, and entertainment products. Following several information security incidents, InfoSec has decided to establish teams of experts and implement measures to prevent potential incidents in the future.
Emma, Bob, and Anna were hired as the new members of InfoSec's information security team, which consists of a security architecture team, an incident response team (IRT), and a forensics team. Emma's job is to create information security plans, policies, protocols, and training to prepare InfoSec to respond to incidents effectively. Emma and Bob would be full-time employees of InfoSec, whereas Anna was contracted as an external consultant.
Bob, a network expert, will implement a screened subnet network architecture. This architecture will isolate the demilitarized zone (DMZ), to which hosted public services are attached, and InfoSec's publicly accessible resources from their private network. Thus, InfoSec will be able to block potential attackers from causing unwanted events inside the company's network. Bob is also responsible for ensuring a thorough evaluation of the nature of an unexpected event, including how the event happened and what or whom it might affect.
On the other hand, Anna will create records of the data, reviews, analyses, and reports to keep evidence for disciplinary and legal action and use them to prevent future incidents. To do the work accordingly, she should be aware of the company's information security incident management policy beforehand. Among others, this policy specifies the type of records to be created, the place where they should be kept, and the format and content that specific record types should have.
As part of InfoSec's initiative to strengthen information security measures, Anna will conduct information security risk assessments only when significant changes are proposed and will document the results of these risk assessments. Upon completion of the risk assessment process, Anna is responsible for developing and implementing a plan for treating information security risks and documenting the risk treatment results.
Furthermore, while implementing the communication plan for information security, InfoSec's top management was responsible for creating a roadmap for new product development. This approach helps the company to align its security measures with the product development efforts, demonstrating a commitment to integrating security into every aspect of its business operations.
InfoSec uses a cloud service model that includes cloud-based apps accessed through the web or an application programming interface (API). All cloud services are provided by the cloud service provider, while data is managed by InfoSec. This introduces unique security considerations and becomes a primary focus for the information security team to ensure data and systems are protected in this environment.
Based on this scenario, answer the following question:
Which of the following cloud service models did InfoSec use?

  • A. Infrastructure as a Service
  • B. Software as a Service
  • C. Platform as a Service

正解:B


質問 # 31
You are the owner of the courier company SpeeDelivery. You have carried out a risk analysis and now want to determine your risk strategy. You decide to take measures for the large risks but not for the small risks. What is this risk strategy called?

  • A. Risk passing
  • B. Risk neutral
  • C. Risk bearing
  • D. Risk avoiding

正解:B


質問 # 32
Based on scenario 10. NetworkFuse did not conduct a self-evaluation of the ISMS before the audit. Is this compliant to ISO/IEC 27001?

  • A. Yes, the standard indicates that the auditee shall rely only on internal audit and management review reports to prepare for the certification audit
  • B. No, the auditee must review the requirements of clauses 4 to 10 before the conduct of a certification audit
  • C. Yes, the standard does not require to conduct a self-evaluation before the audit but it is a good practice to follow

正解:B


質問 # 33
Scenario 9: OpenTech provides IT and communications services. It helps data communication enterprises and network operators become multi-service providers During an internal audit, its internal auditor, Tim, has identified nonconformities related to the monitoring procedures He identified and evaluated several system Invulnerabilities.
Tim found out that user IDs for systems and services that process sensitive information have been reused and the access control policy has not been followed After analyzing the root causes of this nonconformity, the ISMS project manager developed a list of possible actions to resolve the nonconformity. Then, the ISMS project manager analyzed the list and selected the activities that would allow the elimination of the root cause and the prevention of a similar situation in the future. These activities were included in an action plan The action plan, approved by the top management, was written as follows:
A new version of the access control policy will be established and new restrictions will be created to ensure that network access is effectively managed and monitored by the Information and Communication Technology (ICT) Department The approved action plan was implemented and all actions described in the plan were documented.
Based on scenario 9. did the ISMS project manager complete the corrective action process appropriately?

  • A. Yes, the corrective action process should include the identification of the nonconformity, situation analysis, and implementation of corrective actions
  • B. No, the corrective action did not address the root cause of the nonconformity
  • C. No, the corrective action process should also include the review of the implementation of the selected actions

正解:C

解説:
Explanation
According to ISO/IEC 27001:2022, the corrective action process consists of the following steps12:
Reacting to the nonconformity and, as applicable, taking action to control and correct it and deal with the consequences Evaluating the need for action to eliminate the root cause(s) of the nonconformity, in order that it does not recur or occur elsewhere Implementing the action needed Reviewing the effectiveness of the corrective action taken Making changes to the information security management system, if necessary In scenario 9, the ISMS project manager did not complete the last step of reviewing the effectiveness of the corrective action taken. This step is important to verify that the corrective action has achieved the intended results and that no adverse effects have been introduced. The review can be done by using various methods, such as audits, tests, inspections, or performance indicators3. Therefore, the ISMS project manager did not complete the corrective action process appropriately.
References:
1: ISO/IEC 27001:2022, clause 10.2 2: Procedure for Corrective Action [ISO 27001 templates] 3: ISO 27001 Clause 10.2 Nonconformity and corrective action


質問 # 34
Company X restricted the access of the internal auditor of some of its documentation taking into account its confidentiality. Is this acceptable?

  • A. No. restricting the internal auditor's access to offices and documentation can negatively affect the internal audit process
  • B. Yes. it is up to the company to determine what an internal auditor can access
  • C. Yes. confidential information should not be increased by internal auditors

正解:A


質問 # 35
According to scenario 8, Tessa created a plan for ISMS monitoring and measurement and presented it to the top management Is this acceptable?

  • A. No, Tessa should only communicate the issues found to the top management
  • B. Yes, Tessa can advise the top management on improving the company's functions
  • C. No, Tessa must implement all the improvements needed for issues found during the audit

正解:B


質問 # 36
'The ISMS covers all departments within Company XYZ that have access to customers' data. The purpose of the ISMS is to ensure the confidentiality, integrity, and availability of customers' data, and ensure compliance with the applicable regulatory requirements regarding information security." What does this statement
^"describe?

  • A. The information systems boundary of the ISMS scope
  • B. The physical boundary of the ISMS scope
  • C. The organizational boundaries of the ISMS scope

正解:C

解説:
Explanation
The statement describes the organizational boundaries of the ISMS scope, which define which parts of the organization are included or excluded from the ISMS. The organizational boundaries can be based on criteria such as departments, functions, processes, activities, or locations. In this case, the statement specifies that the ISMS covers all departments within Company XYZ that have access to customers' data, and excludes the ones that do not. The statement also explains the purpose of the ISMS, which is to ensure the confidentiality, integrity, and availability of customers' data, and ensure compliance with the applicable regulatory requirements regarding information security.
The statement does not describe the information systems boundary of the ISMS scope, which defines which information systems are included or excluded from the ISMS. The information systems boundary can be based on criteria such as hardware, software, networks, databases, or applications. The statement does not mention any specific information systems that are covered by the ISMS.
The statement also does not describe the physical boundary of the ISMS scope, which defines which physical locations are included or excluded from the ISMS. The physical boundary can be based on criteria such as buildings, rooms, cabinets, or devices. The statement does not mention any specific physical locations that are covered by the ISMS.
References:
ISO/IEC 27001:2013, clause 4.3: Determining the scope of the information security management system ISO/IEC 27001 Lead Implementer Course, Module 4: Planning the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 6: Implementing the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 7: Performance evaluation, monitoring and measurement of the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 8: Continual improvement of the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 9: Preparing for the ISMS certification audit ISO/IEC 27001 scope statement | How to set the scope of your ISMS - Advisera1 How to Write an ISO 27001 Scope Statement (+3 Examples) - Compleye2 How To Use an Information Flow Map to Determine Scope of Your ISMS3 ISMS SCOPE DOCUMENT - Resolver4 Define the Scope and Objectives - ISMS Info5


質問 # 37
In scenario 1, HealthGenic experienced a number of service interruptions due to the loss of functionality of the software. Which principle of information security has been affected in this case?

  • A. Availability
  • B. Integrity
  • C. Confidentiality

正解:A


質問 # 38
An organization has decided to conduct information security awareness and training sessions on a monthly basis for all employees. Only 45% of employees who attended these sessions were able to pass the exam.
What does the percentage represent?

  • A. Measurement objective
  • B. Attribute
  • C. Performance indicator

正解:C

解説:
Explanation
According to the ISO/IEC 27001:2022 standard, a performance indicator is "a metric that provides information about the effectiveness or efficiency of an activity, process, system or organization" (section 3.35). A performance indicator should be measurable, relevant, achievable, realistic and time-bound (SMART). In this case, the percentage of employees who passed the exam is a performance indicator that measures the effectiveness of the information security awareness and training sessions. It shows how well the sessions achieved their intended learning outcomes and how well the employees understood the information security concepts and practices.
References:
ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements1 ISO/IEC 27001 Lead Implementer Info Kit Key performance indicators for an ISO 27001 ISMS2


質問 # 39
Which of the following measures is a preventive measure?

  • A. Putting sensitive information in a safe
  • B. Installing a logging system that enables changes in a system to be recognized
  • C. Classifying a risk as acceptable because the cost of addressing the threat is higher than the value of the information at risk
  • D. Shutting down all internet traffic after a hacker has gained access to thecompany systems

正解:A


質問 # 40
What is the main purpose of Annex A 7.1 Physical security perimeters of ISO/IEC 27001?

  • A. To ensure access to information and other associated assets is defined and authorized
  • B. To maintain the confidentiality of information that is accessible by personnel or external parties
  • C. To prevent unauthorized physical access, damage, and interference to the organization's information and other associated assets

正解:C

解説:
Explanation
Annex A 7.1 of ISO/IEC 27001 : 2022 is a control that requires an organization to define and implement security perimeters and use them to protect areas that contain information and other associated assets.
Information and information security assets can include data, infrastructure, software, hardware, and personnel. The main purpose of this control is to prevent unauthorized physical access, damage, and interference to these assets, which could compromise the confidentiality, integrity, and availability of the information. Physical security perimeters can include fences, walls, gates, locks, alarms, cameras, and other barriers or devices that restrict or monitor access to the facility or area. The organization should also consider the environmental and fire protection of the assets, as well as the disposal of any waste or media that could contain sensitive information.
References:
ISO/IEC 27001 : 2022 Lead Implementer Study Guide, Section 5.3.1.7, page 101 ISO/IEC 27001 : 2022 Lead Implementer Info Kit, page 17 ISO/IEC 27002 : 2022, Control 7.1 - Physical Security Perimeters123


質問 # 41
A company decided to use an algorithm that analyzes various attributes of customer behavior, such as browsing patterns and demographics, and groups customers based on their similar characteristics. This way. the company will be able to identify frequent buyers and trend-followers, among others. What type of machine learning this the company using?

  • A. Unsupervised machine learning
  • B. Supervised machine learning
  • C. Decision tree machine learning

正解:A

解説:
According to the ISO/IEC 27001 : 2022 Lead Implementer course, one of the objectives of information security incident management is to collect and preserve records that can be used as evidence for disciplinary and legal action, as well as for learning and improvement purposes1. Therefore, Anna should be aware of the collection and preservation of records when gathering data for the forensics team. She should follow the guidelines and procedures specified in the information security incident management policy of InfoSec, which defines the type, format, content, and location of the records to be created and maintained2. The records should be accurate, complete, consistent, and reliable, and should be protected from unauthorized access, modification, or deletion3.


質問 # 42
Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products and services. It uses MongoDB. a document model database that offers high availability, scalability, and flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers compromised its MongoDB database, because the database administrators did not change its default settings, leaving it without a password and publicly accessible.
Fortunately. Socket Inc. performed regular information backups in their MongoDB database, so no information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize all logs in one server. The company found out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company by reviewing the event logs that record user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control system that grants access to authorized personnel only. The company also implemented a control in order to define and implement rules for the effective use of cryptography, including cryptographic key management, to protect the database from unauthorized access The implementation was based on all relevant agreements, legislation, and regulations, and the information classification scheme. To improve security and reduce the administrative efforts, network segregation using VPNs was proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to information security threats, and integrate information security into project management.
Based on scenario 3, what would help Socket Inc. address similar information security incidents in the future?

  • A. Using the MongoDB database with the default settings
  • B. Using the access control system to ensure that only authorized personnel is granted access
  • C. Using cryptographic keys to protect the database from unauthorized access

正解:C

解説:
In Scenario 3, the measure that would help Socket Inc. address similar information security incidents in the future is "B. Using cryptographic keys to protect the database from unauthorized access." Implementing cryptographic controls, including cryptographic key management, is a proactive measure to secure the data in the MongoDB database against unauthorized access. It ensures that even if attackers gain access to the database, they cannot read or misuse the data without the appropriate cryptographic keys. This approach aligns with best practices for securing sensitive data and is part of a comprehensive security strategy.
Reference:
ISO 27001 - Annex A.10 - Cryptography
ISO 27001 Annex A.10 - Cryptography | ISMS.online
ISO 27001 cryptographic controls policy | What needs to be included?


質問 # 43
Which option below should be addressed in an information security policy?

  • A. Actions to be performed after an information security incident
  • B. The complexity of information security processes and their interactions
  • C. Legal and regulatory obligations imposed upon the organization

正解:C

解説:
According to the ISO/IEC 27001:2022 standard, an information security policy is a high-level document that defines the management approach and objectives for information security within the organization. It should include, among other things, the legal and regulatory obligations imposed upon the organization, such as compliance with laws, contracts, agreements, and standards that are relevant to information security. The information security policy should also provide the basis for establishing, implementing, maintaining, and continually improving the information security management system (ISMS).
Reference:
ISO/IEC 27001:2022, Clause 5.2 Policy
ISO/IEC 27002:2022, Clause 5.1 Policies for information security
PECB ISO/IEC 27001 Lead Implementer Course, Module 3: Information Security Management System (ISMS)


質問 # 44
Can Socket Inc. find out that no persistent backdoor was placed and that the attack was initiated from an employee inside the company by reviewing event logs that record user faults and exceptions? Refer to scenario
3.

  • A. Yes. Socket Inc. can find out that no persistent backdoor was placed by only reviewing user faults and exceptions logs
  • B. No, Socket Inc should also have reviewed event logs that record user activities
  • C. No, Socket Inc. should have reviewed all the logs on the syslog server

正解:B


質問 # 45
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management
[^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted Based on scenario 4, the fact that TradeB defined the level of risk based on three nonnumerical categories indicates that;

  • A. The level of risk will be defined using a formula
  • B. The level of risk will be evaluated against qualitative criteria
  • C. The level of risk will be evaluated using quantitative analysis

正解:B

解説:
Qualitative risk assessment is a method of evaluating risks based on nonnumerical categories, such as low, medium, and high. It is often used when there is not enough data or resources to perform a quantitative risk assessment, which involves numerical values and calculations. Qualitative risk assessment relies on the subjective judgment and experience of the risk assessors, and it can be influenced by various factors, such as thecontext, the stakeholders, and the criteria. According to ISO/IEC 27001:2022, Annex A, control A.8.2.1 states: "The organization shall define and apply an information security risk assessment process that: ... d) identifies the risk owners; e) analyses the risks: i) assesses the consequences that would result if the risks identified were to materialize; ii) assesses the realistic likelihood of the occurrence of the risks; f) identifies and evaluates options for the treatment of risks; g) determines the levels of residual risk and whether these are acceptable; and h) identifies the risk owners for the residual risks." Therefore, TradeB's decision to define the level of risk based on three nonnumerical categories indicates that they used a qualitative risk assessment process.
References:
* ISO/IEC 27001:2022, Annex A, control A.8.2.1
* PECB ISO/IEC 27001 Lead Implementer Course, Module 7, slides 12-13


質問 # 46
......

PECB ISO-IEC-27001-Lead-Implementer問題集PDFのベストを目指すなら問題集を使おう 目指そう高得点:https://www.goshiken.com/PECB/ISO-IEC-27001-Lead-Implementer-mondaishu.html

ISO 27001 ISO-IEC-27001-Lead-Implementer試験と認定テストエンジン:https://drive.google.com/open?id=1Ou8HrkqsaowhWJN7drro3jPAR9pk2bkB

関するブログ

もっと
ISO-IEC-27001-Lead-Implementer無料問題集