ISO-IEC-27001-Lead-AuditorのPDF問題集で2023年11月26日試験問題 有効なISO-IEC-27001-Lead-Auditor問題集 [Q67-Q91]

Share

ISO-IEC-27001-Lead-AuditorのPDF問題集で2023年11月26日試験問題 有効なISO-IEC-27001-Lead-Auditor問題集

究極のISO-IEC-27001-Lead-Auditor準備ガイドで無料最新のPECB練習テスト問題集

質問 # 67
Four types of Data Classification (Choose two)

  • A. Financial Data, Highly Confidential Data
  • B. Restricted Data, Confidential Data
  • C. Project Data, Highly Confidential Data
  • D. Unrestricted Data, Highly Confidential Data

正解:B、D

解説:
Two types of data classification are restricted data and unrestricted data. Restricted data is data that has a high level of sensitivity or confidentiality, and requires strict protection from unauthorized access, disclosure, modification or destruction. Examples of restricted data include personal data, financial data, trade secrets, intellectual property, etc. Unrestricted data is data that has a low level of sensitivity or confidentiality, and can be freely accessed, disclosed, modified or destroyed without significant consequences. Examples of unrestricted data include public information, marketing materials, general news, etc. Data classification is a process of assigning categories or labels to data based on its value, sensitivity, criticality and legal requirements. Data classification helps to determine the appropriate level of security controls and handling procedures for different types of data. ISO/IEC 27001:2022 requires the organization to classify information in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification (see clause A.8.2.1). Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Data Classification?


質問 # 68
What controls can you do to protect sensitive data in your computer when you go out for lunch?

  • A. You are confident to leave your computer screen as is since a password protected screensaver is installed and it is set to activate after 10 minutes of inactivity
  • B. You lock your computer by pressing Windows+L or CTRL-ALT-DELETE and then click "Lock Computer".
  • C. You turn off the monitor
  • D. You activate your favorite screen-saver

正解:B

解説:
You should lock your computer by pressing Windows+L or CTRL-ALT-DELETE and then click "Lock Computer", because this is the most effective way to protect sensitive data in your computer when you go out for lunch. By locking your computer, you are preventing unauthorized access to your computer and its contents, as well as complying with the organization's access control policy and information security policy. Locking your computer requires a password or a biometric authentication to unlock it, which adds a layer of security to your data. The other options are not sufficient or reliable, as they do not prevent someone from accessing your computer or viewing your screen. Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, How to lock your PC


質問 # 69
All are prohibited in acceptable use of information assets, except:

  • A. Messages with very large attachments or to a large number ofrecipients.
  • B. Company-wide e-mails with supervisor/TL permission.
  • C. E-mail copies to non-essential readers
  • D. Electronic chain letters

正解:B


質問 # 70
The following are the guidelines to protect your password, except:

  • A. Change a temporary password on first log-on
  • B. For easy recall, use the same password for company and personal accounts
  • C. Don't use the same password for various company system security access
  • D. Do not share passwords with anyone

正解:B、D

解説:
The following are guidelines to protect your password, except for easy recall use the same password for company and personal accounts; do not share passwords with anyone. Using the same password for company and personal accounts is not a guideline to protect your password, as it increases the risk of compromising your password if one of your accounts is hacked or breached. You should use different and unique passwords for each account, and change them regularly. Sharing passwords with anyone is not a guideline to protect your password, as it reduces the security and accountability of your password. You should keep your password confidential and never disclose it to anyone, even if they claim to be authorized or trustworthy. Don't use the same password for various company system security access is a guideline to protect your password, as it prevents unauthorized access or misuse of your password if one of the systems is compromised or breached. You should use different and complex passwords for each system, and follow the password policies and standards of the organization. Change a temporary password on first log-on is a guideline to protect your password, as it prevents unauthorized access or misuse of your password if the temporary password is intercepted or leaked. You should change the temporary password to a personal and secure password as soon as possible, and avoid using default or predictable passwords. Reference: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 43. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 15.


質問 # 71
In which order is an Information Security Management System set up?

  • A. Establishment, operation, monitoring, improvement
  • B. Implementation, operation, improvement, maintenance
  • C. Implementation, operation, maintenance, establishment
  • D. Establishment, implementation, operation, maintenance

正解:D

解説:
The establishment phase of an ISMS involves defining the scope, context, objectives, and leadership commitment for information security management within an organization. It also involves identifying and assessing the risks and opportunities related to information security and selecting the appropriate controls to treat them. The implementation phase of an ISMS involves executing the plans and actions to achieve the information security objectives and implement the selected controls. It also involves ensuring the availability of resources and competencies for information security management. The operation phase of an ISMS involves monitoring and measuring the performance and effectiveness of the ISMS and reporting on the results. It also involves addressing nonconformities and taking corrective actions to prevent recurrence. The maintenance phase of an ISMS involves reviewing and evaluating the ISMS at planned intervals and identifying opportunities for improvement. It also involves updating the ISMS as necessary to reflect changes in the internal and external context of the organization. Therefore, an ISMS is set up in the following order: establishment, implementation, operation, maintenance. Reference: ISO/IEC 27001:2022, clauses 6-10; ISO/IEC 27000:2022, clause 4.


質問 # 72
How is the purpose of information security policy best described?

  • A. An information security policy documents the analysis of risks and the search for countermeasures.
  • B. An information security policy provides direction and support to the management regarding information security.
  • C. An information security policy provides insight into threats and the possible consequences.
  • D. An information security policy makes the security plan concrete by providing it with the necessary details.

正解:B

解説:
The purpose of information security policy is best described as providing direction and support to the management regarding information security. An information security policy is a high-level document that defines the organization's vision, objectives, principles and responsibilities for information security. It also sets the scope and context of the information security management system and aligns it with the organization's strategy and culture. An information security policy does not document the analysis of risks or the search for countermeasures, nor does it make the security plan concrete or provide insight into threats and consequences. These are tasks for other documents or processes within the information security management system. ISO/IEC 27001:2022 defines information security policy as "policy that provides direction and support for information security in accordance with business requirements and relevant laws and regulations" (see clause 3.29). Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Information Security Policy?


質問 # 73
Cabling Security is associated with Power, telecommunication and network cabling carrying information are protected from interception and damage.

  • A. True
  • B. False

正解:A

解説:
Cabling security is associated with power, telecommunication and network cabling carrying information are protected from interception and damage. This statement is true, as cabling security is a part of physical and environmental security that aims to prevent unauthorized physical access, damage and interference to information and information processing facilities. Cabling security involves securing the cables that transmit information from one device or location to another, such as power cables, telephone cables, network cables, etc. Cabling security can prevent eavesdropping, tampering, interruption or destruction of information by physical means, such as cutting, tapping, bending or exposing the cables. ISO/IEC 27001:2022 requires the organization to implement physical and environmental security controls to prevent unauthorized physical access, damage and interference to the organization's information and information processing facilities (see clause A.11). Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Cabling Security?


質問 # 74
Changes on project-managed applications or database should undergo the change control process as documented.

  • A. True
  • B. False

正解:A

解説:
Changes on project-managed applications or database should undergo the change control process as documented, because this is a requirement of ISO/IEC 27001:2022 clause 12.1.2, which states that "the organization shall define and apply a change management process for changes to systems and applications within the scope of the information security management system". The change management process should ensure that changes are recorded, assessed, authorized, prioritized, planned, tested, implemented, documented and reviewed in a controlled manner. Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], [ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements]


質問 # 75
Phishing is what type of Information Security Incident?

  • A. Legal Incidents
  • B. Cracker/Hacker Attacks
  • C. Technical Vulnerabilities
  • D. Private Incidents

正解:B

解説:
Phishing is a type of information security incident that falls under the category of cracker/hacker attacks. Phishing is a form of fraud that uses deceptive emails or other messages to trick recipients into revealing sensitive information, such as passwords, credit card numbers, bank account details, etc. Phishing emails often impersonate legitimate organizations or individuals and create a sense of urgency or curiosity to lure the victims into clicking on malicious links, opening malicious attachments or providing personal information. Phishing is a common and serious threat to information security, as it can lead to identity theft, financial loss, data breach, malware infection or other damages. ISO/IEC 27001:2022 requires the organization to implement awareness and training programs to make users aware of the risks of social engineering attacks, such as phishing, and how to avoid them (see clause A.7.2.2). Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Phishing?


質問 # 76
What is the worst possible action that an employee may receive for sharing his or her password or access with others?

  • A. Forced roll off from the project
  • B. Three days suspension from work
  • C. Termination
  • D. The lowest rating on his or her performance assessment

正解:C


質問 # 77
What would be the reference for you to know who should have access to data/document?

  • A. Access Control List (ACL)
  • B. Masterlist of Project Records (MLPR)
  • C. Information Rights Management (IRM)
  • D. Data Classification Label

正解:A


質問 # 78
A hacker gains access to a webserver and can view a file on the server containing credit card numbers.
Which of the Confidentiality, Integrity, Availability (CIA) principles of the credit card file are violated?

  • A. Confidentiality
  • B. Integrity
  • C. Compliance
  • D. Availability

正解:A


質問 # 79
As a new member of the IT department you have noticed that confidential information has been leaked several times. This may damage the reputation of the company. You have been asked to propose an organisational measure to protect laptop computers. What is the first step in a structured approach to come up with this measure?

  • A. Encrypt all sensitive information
  • B. Appoint security staff
  • C. Set up an access control procedure
  • D. Formulate a policy

正解:D

解説:
An organisational measure is a measure that involves the establishment of policies, procedures, roles, responsibilities, and structures to manage information security within an organization. Examples of organisational measures include security policies, awareness programs, risk assessments, audits, and incident response plans. A policy is a statement of intent or direction that provides guidance for decision making and actions within an organization. A policy defines the scope, objectives, principles, and roles for information security management. Therefore, formulating a policy is the first step in a structured approach to come up with an organisational measure to protect laptop computers. Reference: ISO/IEC 27000:2022, clause 3.47; ISO/IEC 27001:2022, clause 5.2.


質問 # 80
Which of the following statements are correct for Clean Desk Policy?

  • A. Don't leave laptops without cable lock.
  • B. Don't leave valuable items on your desk if you are not in your work area.
  • C. Don't leave confidential documents on your desk.
  • D. Don't leave highly confidential items.

正解:B、C、D


質問 # 81
All are prohibited in acceptable use of information assets, except:

  • A. Messages with very large attachments or to a large number ofrecipients.
  • B. Company-wide e-mails with supervisor/TL permission.
  • C. E-mail copies to non-essential readers
  • D. Electronic chain letters

正解:B

解説:
The only option that is not prohibited in acceptable use of information assets is C: company-wide e-mails with supervisor/TL permission. This option implies that the sender has obtained the necessary authorization from their supervisor or team leader to send an e-mail to all employees in the organization. This could be done for legitimate business purposes, such as announcing important news, events or updates that are relevant to everyone. However, this option should still be used sparingly and responsibly, as it could cause unnecessary disruption or annoyance to the recipients if abused or misused. The other options are prohibited in acceptable use of information assets, as they could violate the information security policies and procedures of the organization, as well as waste resources and bandwidth. Electronic chain letters (A) are messages that urge recipients to forward them to multiple other people, often with false or misleading claims or promises. They are considered spam and could contain malicious links or attachments that could compromise information security. E-mail copies to non-essential readers (B) are messages that are sent to recipients who do not need to receive them or have no interest in them. They are considered unnecessary and could clutter the inbox and distract the recipients from more important messages. Messages with very large attachments or to a large number of recipients (D) are messages that consume a lot of network resources and could affect the performance or availability of the information systems. They could also exceed the storage capacity or quota limits of the recipients' mailboxes and cause problems for them. ISO/IEC 27001:2022 requires the organization to implement rules for acceptable use of assets (see clause A.8.1.3). Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Acceptable Use?


質問 # 82
Who are allowed to access highly confidential files?

  • A. Non-employees designated with approved access and have signed NDA
  • B. Employees with signed NDA have a business need-to-know
  • C. Employees with a business need-to-know
  • D. Contractors with a business need-to-know

正解:B


質問 # 83
What is social engineering?

  • A. Creating a situation wherein a third party gains confidential information from you
  • B. A group planning for a social activity in the organization
  • C. The organization planning an activity for welfare of the neighborhood

正解:A

解説:
Social engineering is a technique that involves creating a situation wherein a third party gains confidential information from you by manipulating your trust or exploiting your weaknesses. Social engineering can take various forms, such as phishing emails, phone calls, impersonation, or baiting. Social engineering is a common threat to information security, as it targets the human factor rather than the technical defenses. Reference: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 26. : ISO/IEC 27001 LEAD AUDITOR - PECB, page 13.


質問 # 84
As a new member of the IT department you have noticed that confidential information has been leaked several times. This may damage the reputation of the company. You have been asked to propose an organisational measure to protect laptop computers. What is the first step in a structured approach to come up with this measure?

  • A. Encrypt all sensitive information
  • B. Appoint security staff
  • C. Set up an access control procedure
  • D. Formulate a policy

正解:D


質問 # 85
A hacker gains access to a web server and reads the credit card numbers stored on that server. Which security principle is violated?

  • A. Authenticity
  • B. Confidentiality
  • C. Integrity
  • D. Availability

正解:B

解説:
Confidentiality is one of the security principles that states that only authorized parties should have access to information assets. Confidentiality protects the secrecy and privacy of information from unauthorized disclosure or exposure. A hacker gaining access to a web server and reading the credit card numbers stored on that server violates the confidentiality principle, as he or she is not an authorized party and has access to sensitive information that belongs to others. Therefore, the correct answer is B. Reference: ISO/IEC 27000:2022, clause 3.8; Defining Security Principles - Pearson IT Certification.


質問 # 86
What controls can you do to protect sensitive data in your computer when you go out for lunch?

  • A. You are confident to leave your computer screen as is since a password protected screensaver is installed and it is set to activate after 10 minutes of inactivity
  • B. You lock your computer by pressing Windows+L or CTRL-ALT-DELETE and then click "Lock Computer".
  • C. You turn off the monitor
  • D. You activate your favorite screen-saver

正解:B


質問 # 87
The following are the guidelines to protect your password, except:

  • A. Change a temporary password on first log-on
  • B. For easy recall, use the same password for company and personal accounts
  • C. Don't use the same password for various company system security access
  • D. Do not share passwords with anyone

正解:B、D


質問 # 88
You are an experienced ISMS auditor, currently providing support to an ISMS auditor in training who is carrying out her first initial certification audit. She asks you what she should be verifying when auditing an organisation's Information Security objectives. You ask her what she has included in her audit checklist and she provides the following replies.
Which three of these responses would you cause you concern in relation to conformity with ISO/IEC 27001:2022?

  • A. I am going to check that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them
  • B. I am going to check that a completion date has been set for each objective and that there are no objectives with missing 'achieve by' dates
  • C. I am going to check that the Information Security objectives are written down on paper so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved
  • D. I am going to check that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this
  • E. I am going to check how each Information Security objective has been communicated to those who need to be aware of it in order for the objective to be achieved
  • F. I am going to check that top management have determined the Information Security objectives for the current year. If not, I will check that this task has been programmed to be completed
  • G. I am going to check that the necessary budget, manpower and materials to achieve each objective has been determined

正解:B、C、F

解説:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 6.2 requires an organization to establish information security objectives at relevant functions and levels1. The objectives should be consistent with the information security policy; measurable (if practicable) or capable of being evaluated; monitored; communicated; updated as appropriate1. Therefore, when auditing an organization's information security objectives, an ISMS auditor should verify these aspects in accordance with the audit criteria.
Three responses from the ISMS auditor in training that would cause concern in relation to conformity with ISO/IEC 27001:2022 are:
I am going to check that top management have determined the Information Security objectives for the current year. If not, I will check that this task has been programmed to be completed: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives at relevant functions and levels, not just at the top management level. It also implies that the auditor in training is willing to accept a delay or postponement in determining the information security objectives, which may affect the ISMS performance and effectiveness.
I am going to check that the Information Security objectives are written down on paper so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives that are measurable (if practicable) or capable of being evaluated, not just written down on paper. It also implies that the auditor in training is not aware of the flexibility and suitability of different media or formats for documenting and communicating information security objectives, such as electronic or digital records, posters, newsletters, etc.
I am going to check that a completion date has been set for each objective and that there are no objectives with missing 'achieve by' dates: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives that are monitored, not just completed by a certain date. It also implies that the auditor in training is not aware of the possibility and necessity of updating information security objectives as appropriate, such as when changes occur in the internal or external context of the organization, or when new risks or opportunities arise.
The other responses from the ISMS auditor in training are acceptable and do not cause concern in relation to conformity with ISO/IEC 27001:2022. For example, checking how each Information Security objective has been communicated to those who need to be aware of it in order for the objective to be achieved is relevant to verifying the communication aspect of clause 6.2; checking that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this is relevant to verifying the updating aspect of clause 6.2; checking that the necessary budget, manpower and materials to achieve each objective has been determined is relevant to verifying the planning aspect of clause 6.2; checking that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them is relevant to verifying the measurability aspect of clause 6.2. Reference: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements


質問 # 89
What is the standard definition of ISMS?

  • A. Is an information security systematic approach to achieve business objectives for implementation, establishing, reviewing,operating and maintaining organization's reputation.
  • B. A project-based approach to achieve business objectives for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security
  • C. A company wide business objectives to achieve information security awareness for establishing, implementing, operating, monitoring, reviewing, maintaining and improving
  • D. A systematic approach for establishing, implementing, operating,monitoring, reviewing, maintaining and improving an organization's information security to achieve business objectives.

正解:D


質問 # 90
Which of the following is a technical security measure?

  • A. Security policy
  • B. Encryption
  • C. Safe storage of backups
  • D. User role profiles.

正解:B

解説:
A technical security measure is a measure that uses technology to protect information assets from unauthorized access, modification, disclosure, or destruction. Examples of technical security measures include encryption, firewalls, antivirus software, authentication systems, and access control mechanisms. Encryption is a technical security measure that transforms information into an unreadable format using a secret key or algorithm. Encryption protects the confidentiality, integrity, and availability of information by preventing unauthorized parties from accessing or altering it. Therefore, encryption is the correct answer to this question. Reference: ISO/IEC 27000:2022, clause 3.48; ISO/IEC 27002:2022, clause 10.1.


質問 # 91
......


PECB ISO-IEC-27001-Lead-Auditor試験は、ISO/IEC 27001リード監査員として認定されるために必要なスキルと知識を提供するプログラムです。試験は、情報セキュリティ、品質管理、事業継続性の分野で、トレーニング、試験、認定サービスを提供する業界のリーディングプロバイダーであるProfessional Evaluation and Certification Board(PECB)が実施しています。

 

合格率 取得する秘訣はISO-IEC-27001-Lead-Auditor認定試験エンジンPDF:https://www.goshiken.com/PECB/ISO-IEC-27001-Lead-Auditor-mondaishu.html

今すぐ試そう!高評価PECB ISO-IEC-27001-Lead-Auditor試験問題集:https://drive.google.com/open?id=1UtOcfsEx6J1udrEUVnbmhpOajs4MJWi7