ISO-IEC-27001-Lead-Auditor問題集合格保証付きの合格できるISO-IEC-27001-Lead-Auditor試験2023年更新
ISO-IEC-27001-Lead-Auditor試験問題集を試そう!ベストISO-IEC-27001-Lead-Auditor試験問題トレーニングを提供していますGoShiken
質問 # 54
Which reliability aspect of information is compromised when a staff member denies having sent a message?
- A. Confidentiality
- B. Integrity
- C. Availability
- D. Correctness
正解:B
解説:
The reliability aspect of information that is compromised when a staff member denies having sent a message is integrity. Integrity is the property of information that ensures its accuracy, completeness, consistency and authenticity. When a staff member denies having sent a message, it implies that the message was either altered, forged, deleted or repudiated by someone else, which violates the integrity of the information. ISO/IEC 27001:2022 defines integrity as "the property of accuracy and completeness" (see clause 3.24). Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Integrity?
質問 # 55
What controls can you do to protect sensitive data in your computer when you go out for lunch?
- A. You activate your favorite screen-saver
- B. You turn off the monitor
- C. You lock your computer by pressing Windows+L or CTRL-ALT-DELETE and then click "Lock Computer".
- D. You are confident to leave your computer screen as is since a password protected screensaver is installed and it is set to activate after 10 minutes of inactivity
正解:C
質問 # 56
What would be the reference for you to know who should have access to data/document?
- A. Masterlist of Project Records (MLPR)
- B. Information Rights Management (IRM)
- C. Access Control List (ACL)
- D. Data Classification Label
正解:C
質問 # 57
You are an experienced ISMS audit team leader providing instruction to an auditor in training. They are unclear in their understanding of risk processes and ask you to provide them with an example of each of the processes detailed below.
Match each of the descriptions provided to one of the following risk management processes.
To complete the table click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop each option to the appropriate blank section.
正解:
解説:
Reference:
ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements ISO/IEC 27005:2022 Information technology - Security techniques - Information security risk management
質問 # 58
You are an experienced ISMS auditor, currently providing support to an ISMS auditor in training who is carrying out her first initial certification audit. She asks you what she should be verifying when auditing an organisation's Information Security objectives. You ask her what she has included in her audit checklist and she provides the following replies.
Which three of these responses would you cause you concern in relation to conformity with ISO/IEC 27001:2022?
- A. I am going to check that the Information Security objectives are written down on paper so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved
- B. I am going to check that the necessary budget, manpower and materials to achieve each objective has been determined
- C. I am going to check that top management have determined the Information Security objectives for the current year. If not, I will check that this task has been programmed to be completed
- D. I am going to check that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this
- E. I am going to check that a completion date has been set for each objective and that there are no objectives with missing 'achieve by' dates
- F. I am going to check how each Information Security objective has been communicated to those who need to be aware of it in order for the objective to be achieved
- G. I am going to check that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them
正解:A、C、E
解説:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 6.2 requires an organization to establish information security objectives at relevant functions and levels1. The objectives should be consistent with the information security policy; measurable (if practicable) or capable of being evaluated; monitored; communicated; updated as appropriate1. Therefore, when auditing an organization's information security objectives, an ISMS auditor should verify these aspects in accordance with the audit criteria.
Three responses from the ISMS auditor in training that would cause concern in relation to conformity with ISO/IEC 27001:2022 are:
I am going to check that top management have determined the Information Security objectives for the current year. If not, I will check that this task has been programmed to be completed: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives at relevant functions and levels, not just at the top management level. It also implies that the auditor in training is willing to accept a delay or postponement in determining the information security objectives, which may affect the ISMS performance and effectiveness.
I am going to check that the Information Security objectives are written down on paper so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives that are measurable (if practicable) or capable of being evaluated, not just written down on paper. It also implies that the auditor in training is not aware of the flexibility and suitability of different media or formats for documenting and communicating information security objectives, such as electronic or digital records, posters, newsletters, etc.
I am going to check that a completion date has been set for each objective and that there are no objectives with missing 'achieve by' dates: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives that are monitored, not just completed by a certain date. It also implies that the auditor in training is not aware of the possibility and necessity of updating information security objectives as appropriate, such as when changes occur in the internal or external context of the organization, or when new risks or opportunities arise.
The other responses from the ISMS auditor in training are acceptable and do not cause concern in relation to conformity with ISO/IEC 27001:2022. For example, checking how each Information Security objective has been communicated to those who need to be aware of it in order for the objective to be achieved is relevant to verifying the communication aspect of clause 6.2; checking that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this is relevant to verifying the updating aspect of clause 6.2; checking that the necessary budget, manpower and materials to achieve each objective has been determined is relevant to verifying the planning aspect of clause 6.2; checking that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them is relevant to verifying the measurability aspect of clause 6.2. Reference: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements
質問 # 59
Which of the following is a technical security measure?
- A. Security policy
- B. Encryption
- C. Safe storage of backups
- D. User role profiles.
正解:B
解説:
A technical security measure is a measure that uses technology to protect information assets from unauthorized access, modification, disclosure, or destruction. Examples of technical security measures include encryption, firewalls, antivirus software, authentication systems, and access control mechanisms. Encryption is a technical security measure that transforms information into an unreadable format using a secret key or algorithm. Encryption protects the confidentiality, integrity, and availability of information by preventing unauthorized parties from accessing or altering it. Therefore, encryption is the correct answer to this question. Reference: ISO/IEC 27000:2022, clause 3.48; ISO/IEC 27002:2022, clause 10.1.
質問 # 60
Which of the following factors does NOT contribute to the value of data for an organisation?
- A. The correctness of data
- B. The indispensability of data
- C. The importance of data for processes
- D. The content of data
正解:D
解説:
The value of data for an organisation depends on various factors, such as the correctness, indispensability, importance, relevance, timeliness, completeness, and uniqueness of data. The content of data, however, does not contribute to its value, as it is merely the representation of data in a specific format or structure. The content of data can change depending on how it is processed, stored, or presented, but the value of data is derived from its meaning and usefulness for the organisation. Therefore, the correct answer is D. Reference: Putting a value on data - PwC UK, page 3; What is Data Value? How to Define the Value of Your Data.
質問 # 61
Changes to the information processing facilities shall be done in controlled manner.
- A. False
- B. True
正解:B
解説:
Changes to the information processing facilities shall be done in a controlled manner, according to clause 12.1.2 of ISO/IEC 27001:2022. This is to ensure that the security of information and systems is not compromised by the changes, and that the changes are authorized, documented, tested, and approved before implementation. Reference: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 63. : ISO/IEC 27001:2022, clause 12.1.2.
質問 # 62
As a new member of the IT department you have noticed that confidential information has been leaked several times. This may damage the reputation of the company. You have been asked to propose an organisational measure to protect laptop computers. What is the first step in a structured approach to come up with this measure?
- A. Appoint security staff
- B. Encrypt all sensitive information
- C. Formulate a policy
- D. Set up an access control procedure
正解:C
解説:
An organisational measure is a measure that involves the establishment of policies, procedures, roles, responsibilities, and structures to manage information security within an organization. Examples of organisational measures include security policies, awareness programs, risk assessments, audits, and incident response plans. A policy is a statement of intent or direction that provides guidance for decision making and actions within an organization. A policy defines the scope, objectives, principles, and roles for information security management. Therefore, formulating a policy is the first step in a structured approach to come up with an organisational measure to protect laptop computers. Reference: ISO/IEC 27000:2022, clause 3.47; ISO/IEC 27001:2022, clause 5.2.
質問 # 63
Which of the following factors does NOT contribute to the value of data for an organisation?
- A. The correctness of data
- B. The indispensability of data
- C. The importance of data for processes
- D. The content of data
正解:D
質問 # 64
You are an experienced audit team leader guiding an auditor in training.
Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the TECHNOLOGICAL controls listed in the Statement of Applicability (SoA) and implemented at the site.
Select four controls from the following that would you expect the auditor in training to review.
You are an experienced audit team leader guiding an auditor in training, Your team is currently conducting a third-party surveillance audit of an organisation that stores data on behalf of external clients. The auditor in training has been tasked with reviewing the TECHNOLOGICAL controls listed in the Statement of Applicability (SoA) and implemented at the site.
Select four controls from the following that would you expect the auditor in training to review.
- A. The organisation's arrangements for maintaining equipment
- B. The organisation's arrangements for information deletion
- C. Information security awareness, education and training
- D. How power and data cables enter the building
- E. How the organisation evaluates its exposure to technical vulnerabilities
- F. How access to source code and development tools are managed
- G. Access to and from the loading bay
- H. Confidentiality and nondisclosure agreements
- I. The conducting of verification checks on personnel
- J. How information security has been addressed within supplier agreements
- K. How protection against malware is implemented
- L. Remote working arrangements
- M. The organisation's business continuity arrangements
- N. Rules for transferring information within the organisation and to other organisations
- O. The operation of the site CCTV and door control systems
- P. The development and maintenance of an information asset inventory
正解:E、F、K、O
解説:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), an organization should select and implement appropriate controls to achieve its information security objectives1. The controls should be derived from the results of risk assessment and risk treatment, and should be consistent with the Statement of Applicability (SoA), which is a document that identifies the controls that are applicable and necessary for the ISMS1. The controls can be selected from various sources, such as ISO/IEC 27002:2013, which provides a code of practice for information security controls2. Therefore, if an auditor in training has been tasked with reviewing the technological controls listed in the SoA and implemented at the site of an organization that stores data on behalf of external clients, four controls that would be expected to review are:
How protection against malware is implemented: This is a technological control that aims to prevent, detect and remove malicious software (such as viruses, worms, ransomware, etc.) that could compromise the confidentiality, integrity or availability of information or information systems2. This control is related to control A.12.2.1 of ISO/IEC 27002:20132.
How the organisation evaluates its exposure to technical vulnerabilities: This is a technological control that aims to identify and assess the potential weaknesses or flaws in information systems or networks that could be exploited by malicious actors or cause accidental failures2. This control is related to control A.12.6.1 of ISO/IEC 27002:20132.
How access to source code and development tools are managed: This is a technological control that aims to protect the intellectual property rights and integrity of software applications or systems that are developed or maintained by the organization or its external providers2. This control is related to control A.14.2.5 of ISO/IEC 27002:20132.
The operation of the site CCTV and door control systems: This is a technological control that aims to monitor and restrict physical access to the premises or facilities where information or information systems are stored or processed2. This control is related to control A.11.1.4 of ISO/IEC 27002:20132.
The other options are not examples of technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training's task. For example, the development and maintenance of an information asset inventory (related to control A.8.1.1), rules for transferring information within the organization and to other organizations (related to control A.13.2.1), confidentiality and nondisclosure agreements (related to control A.13.2.4), verification checks on personnel (related to control A.7.1.2), remote working arrangements (related to control A.6.2.1), information security within supplier agreements (related to control A.15.1.1), business continuity arrangements (related to control A.17), information deletion (related to control A.8.3), information security awareness, education and training (related to control A.7.2), equipment maintenance (related to control A.11.2), and how power and data cables enter the building (related to control A.11) are not technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training's task. Reference: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, ISO/IEC 27002:2013 - Information technology - Security techniques - Code of practice for information security controls
質問 # 65
You have a hard copy of a customer design document that you want to dispose off. What would you do
- A. Throw it in any dustbin
- B. Be environment friendly and reuse it for writing
- C. Shred it using a shredder
- D. Give it to the office boy to reuse it for other purposes
正解:C
解説:
The best way to dispose of a hard copy of a customer design document is to shred it using a shredder. This is because shredding ensures that the document is destroyed and cannot be reconstructed or accessed by unauthorized persons. A customer design document may contain sensitive or confidential information that could cause harm or damage to the customer or the organization if disclosed. Therefore, it is important to protect the confidentiality and integrity of the document until it is securely disposed of. Throwing it in any dustbin, giving it to the office boy to reuse it for other purposes, or reusing it for writing are not secure ways of disposing of the document, as they could expose the document to unauthorized access, theft, loss or damage. ISO/IEC 27001:2022 requires the organization to implement procedures for the secure disposal of media containing information (see clause A.8.3.2). Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Secure Disposal?
質問 # 66
A scenario wherein the city or location where the building(s) reside is / are not accessible.
- A. Component
- B. Facility
- C. Country
- D. City
正解:D
質問 # 67
__________ is a software used or created by hackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
- A. Malware
- B. Operating System
- C. Trojan
- D. Virus
正解:A
解説:
Malware is a software used or created by hackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Malware is a general term that covers various types of malicious software, such as viruses, worms, trojans, ransomware, spyware, adware, etc. Malware can cause serious damage to the organization's information assets and reputation, and may lead to legal or regulatory consequences. Therefore, the organization should implement appropriate controls to prevent, detect and remove malware, as specified in ISO/IEC 27001:2022 clause 12.2.1. Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is malware?
質問 # 68
Which two activities align with the "Check'' stage of the Plan-Do-Check-Act cycle when applied to the process of managing an internal audit program as described in ISO 19011?
- A. Review trends in internal audit result
- B. Conduct internal audits
- C. Define audit criteria and scope for each internal audit
- D. Establish a risk-based internal audit programme
- E. Update the internal audit programme
- F. Verify effectiveness of the internal audit programme
- G. Retains records of internal audits
正解:A、F
解説:
The Check stage of the PDCA cycle involves monitoring and measuring the performance of the process and comparing it with the planned objectives and criteria. In the context of managing an internal audit programme, this stage includes verifying the effectiveness of the internal audit programme by evaluating whether it meets its objectives, scope, and criteria, and whether it is implemented in accordance with ISO 19011 guidelines1. It also includes reviewing the trends in internal audit results by analyzing the data collected from the audits, such as audit findings, nonconformities, corrective actions, opportunities for improvement, and customer feedback1. Reference: ISO 19011:2018 - Guidelines for auditing management systems
質問 # 69
You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security of the business continuity management process. During the audit, you learned that the organisation activated one of the business continuity plans (BCPs) to make sure the nursing service continued during the recent pandemic. You ask Service Manager to explain how the organisation manages information security during the business continuity management process.
The Service Manager presents the nursing service continuity plan for a pandemic and summarises the process as follows:
Stop the admission of any NEW residents.
70% of administration staff and 30% of medical staff will work from home.
Regular staff self-testing including submitting a negative test report 1 day BEFORE they come to the office.
Install ABC's healthcare mobile app, tracking their footprint and presenting a GREEN Health Status QR-Code for checking on the spot.
You ask the Service Manager how to prevent non-relevant family members or interested parties from accessing residents' personal data when staff work from home. The Service Manager cannot answer and suggests the n" Security Manager should help with that.
You would like to further investigate other areas to collect more audit evidence Select three options that will be in your audit trail.
- A. Collect more evidence on what resources the organisation provides to support the staff working from home. (Relevant to clause 7.1)
- B. Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home. (Relevant to clause 6)
- C. Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7)
- D. Collect more evidence on how the organisation makes sure only staff with a negative test result can enter the organisation (Relevant to control A.7.2)
- E. Collect more evidence on how and when the Business Continuity Wan has been tested. (Relevant to control A.5.29)
- F. Collect more evidence by interviewing more staff about their feeling about working from home. (Relevant to clause 4.2)
正解:C、D、E
解説:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control A.5.29 requires an organization to establish and maintain a business continuity management process to ensure the continued availability of information and information systems at the required level following disruptive incidents1. The organization should identify and prioritize critical information assets and processes, assess the risks and impacts of disruptive incidents, develop and implement business continuity plans (BCPs), test and review the BCPs, and ensure that relevant parties are aware of their roles and responsibilities1. Therefore, when verifying the information security of the business continuity management process, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.
Three options that will be in the audit trail for verifying control A.5.29 are:
Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7): This option is relevant because it can provide evidence of how the organization has implemented appropriate controls to protect the confidentiality, integrity and availability of information and information systems when staff work from home using mobile devices, such as laptops, tablets or smartphones. This is related to control A.6.7, which requires an organization to establish a policy and procedures for teleworking and use of mobile devices1.
Collect more evidence on how and when the Business Continuity Plan has been tested (Relevant to control A.5.29): This option is relevant because it can provide evidence of how the organization has tested and reviewed the BCPs to ensure their effectiveness and suitability for different scenarios, such as a pandemic. This is related to control A.5.29, which requires an organization to test and review the BCPs at planned intervals or when significant changes occur1.
Collect more evidence on how the organisation makes sure only staff with a negative test result can enter the organisation (Relevant to control A.7.2): This option is relevant because it can provide evidence of how the organization has implemented appropriate controls to prevent or reduce the risk of infection or transmission of diseases among staff or residents, such as requiring regular staff self-testing and using a health status app. This is related to control A.7.2, which requires an organization to ensure that all employees and contractors are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational policies and procedures in this respect1.
The other options are not relevant to verifying control A.5.29, as they are not related to the control or its requirements. For example:
Collect more evidence by interviewing more staff about their feeling about working from home (Relevant to clause 4.2): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 4.2, which requires an organization to understand the needs and expectations of interested parties, but not specifically to control A.5.29.
Collect more evidence on what resources the organisation provides to support the staff working from home (Relevant to clause 7.1): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 7.1, which requires an organization to determine and provide the resources needed for its ISMS, but not specifically to control A.5.29.
Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home (Relevant to clause 6): This option is not relevant because it does not provide evidence of how the organization has established and maintained a business continuity management process or ensured the continued availability of information and information systems following disruptive incidents. It may be related to clause 6, which requires an organization to plan actions to address risks and opportunities for its ISMS, but not specifically to control A.5.29.
質問 # 70
What is an example of a human threat?
- A. a lightning strike
- B. thunderstrom
- C. fire
- D. phishing
正解:D
解説:
A human threat is a threat that originates from a person or a group of people who intentionally or unintentionally cause harm to an organization's information assets. Examples of human threats include hackers, insiders, terrorists, criminals, competitors, or disgruntled employees. A human threat can exploit technical, physical, or organizational vulnerabilities to compromise the confidentiality, integrity, or availability of information. Phishing is an example of a human threat that uses social engineering techniques to trick users into revealing sensitive information, such as passwords, credit card numbers, or bank account details. Phishing attacks often involve sending fraudulent emails or messages that appear to be from legitimate sources, such as banks, government agencies, or trusted contacts. The messages may contain links to malicious websites or attachments that contain malware. Therefore, the correct answer is C. Reference: ISO/IEC 27000:2022, clause 3.25; What is Phishing? | How to Identify & Avoid Phishing Scams.
質問 # 71
You are performing an ISMS initial certification audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to conduct the closing meeting. During the final audit team meeting, as an audit team leader, you agree to report 2 minor nonconformities and 1 opportunity for improvement as below:
Select one option of the recommendation to the audit programme manager you are going to advise to the auditee at the closing meeting.
- A. Recommend certification immediately
- B. Recommend certification after your approval of the proposed corrective action plan Recommend that the findings can be closed out at a surveillance audit in 1 year
- C. Recommend that an unannounced audit is carried out at a future date
- D. Recommend that a partial audit is required within 3 months
- E. Recommend that a full scope re-audit is required within 6 months
正解:B
解説:
According to ISO/IEC 17021-1:2015, which specifies the requirements for bodies providing audit and certification of management systems, clause 9.4.9 requires the certification body to make a certification decision based on the information obtained during the audit and any other relevant information1. The certification body should also consider the effectiveness of the corrective actions taken by the auditee to address any nonconformities identified during the audit1. Therefore, when making a recommendation to the audit programme manager, an ISMS auditor should consider the nature and severity of the nonconformities and the proposed corrective actions.
Based on the scenario above, the auditor should recommend certification after their approval of the proposed corrective action plan and recommend that the findings can be closed out at a surveillance audit in 1 year. The auditor should provide the following justification for their recommendation:
Justification: This recommendation is appropriate because it reflects the fact that the auditee has only two minor nonconformities and one opportunity for improvement, which do not indicate a significant or systemic failure of their ISMS. A minor nonconformity is defined as a failure to achieve one or more requirements of ISO/IEC 27001:2022 or a situation which raises significant doubt about the ability of an ISMS process to achieve its intended output, but does not affect its overall effectiveness or conformity2. An opportunity for improvement is defined as a suggestion for improvement beyond what is required by ISO/IEC 27001:20222. Therefore, these findings do not prevent or preclude certification, as long as they are addressed by appropriate corrective actions within a reasonable time frame. The auditor should approve the proposed corrective action plan before recommending certification, to ensure that it is realistic, achievable, and effective. The auditor should also recommend that the findings can be closed out at a surveillance audit in 1 year, to verify that the corrective actions have been implemented and are working as intended.
The other options are not valid recommendations for the audit programme manager, as they are either too lenient or too strict for the given scenario. For example:
Recommend certification immediately: This option is not valid because it implies that the auditor ignores or accepts the nonconformities, which is contrary to the audit principles and objectives of ISO 19011:20182, which provides guidelines for auditing management systems. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to consider the effectiveness of the corrective actions taken by the auditee before making a certification decision.
Recommend that a full scope re-audit is required within 6 months: This option is not valid because it implies that the auditor overreacts or exaggerates the nonconformities, which is contrary to the audit principles and objectives of ISO 19011:20182. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to determine whether a re-audit is necessary based on the nature and extent of nonconformities and other relevant factors. A full scope re-audit is usually reserved for major nonconformities or multiple minor nonconformities that indicate a serious or widespread failure of an ISMS.
Recommend that an unannounced audit is carried out at a future date: This option is not valid because it implies that the auditor distrusts or doubts the auditee's commitment or capability to implement corrective actions, which is contrary to the audit principles and objectives of ISO 19011:20182. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to conduct unannounced audits only under certain conditions, such as when there are indications of serious problems with an ISMS or when required by sector-specific schemes.
Recommend that a partial audit is required within 3 months: This option is not valid because it implies that the auditor imposes or prescribes a specific time frame or scope for verifying corrective actions, which is contrary to the audit principles and objectives of ISO 19011:20182. It also contradicts the requirement of ISO/IEC 17021-1:20151, which requires the certification body to determine whether a partial audit is necessary based on the nature and extent of nonconformities and other relevant factors. A partial audit may be appropriate for minor nonconformities, but the time frame and scope should be agreed upon with the auditee and based on the proposed corrective action plan.
質問 # 72
......
PECBのISO-IEC-27001-Lead-Auditor試験は、高い知識と技能を要求する厳格かつ難解なテストです。候補者は、情報セキュリティ管理の原則や慣行に堅牢な理解を持ち、監査を実施し、組織の情報セキュリティ管理システムを管理する経験を持っている必要があります。試験は複数選択問題から構成され、候補者は70%以上のスコアを取得する必要があります。
最新100%合格率保証付きの素晴らしいISO-IEC-27001-Lead-Auditor試験問題PDF:https://www.goshiken.com/PECB/ISO-IEC-27001-Lead-Auditor-mondaishu.html
実践サンプルと問題集指導には2023年最新のISO-IEC-27001-Lead-Auditor有効なテスト問題集:https://drive.google.com/open?id=1fK3kQ04c5NVv-jgLWlVF1bqlm5SS6miB