検証済みISO-IEC-27001-Lead-Auditor-CN問題集PDF資料 [2025]
最新のISO-IEC-27001-Lead-Auditor-CN実際の無料試験問題更新された290問あります
質問 # 154
以下是「誠信」的目的,這是資訊安全的基本組成部分之一
- A. 資訊不會提供或揭露給未經授權的個人的屬性
- B. 根據授權實體的要求可存取和使用的屬性。
- C. 資訊不會提供或揭露給未經授權的個人的屬性
- D. 保障資產準確性和完整性的屬性。
正解:D
解説:
Integrity is one of the basic components of information security, along with confidentiality and availability.
Integrity means that information is safeguarded from unauthorized or accidental changes that could affect its accuracy and completeness. Integrity ensures that information is reliable and trustworthy3. References: ISO
/IEC 27001:2022 Lead Auditor Training Course - BSI
質問 # 155
審核員應具備一定的知識和技能;而審計組長也應該具備一些額外的知識和技能。從下面的清單中,選擇僅適用於審核團隊領導的兩項。
- A. 驗證所收集資訊的相關性和準確性
- B. 有效利用提供給審計的資源
- C. 瞭解並應用以風險為基礎的稽核方法
- D. 應用適當的取樣技術
- E. 了解受審核方的文化和社會面
- F. 計劃審核
正解:B、F
解説:
According to the PECB Candidate Handbook1, audit team leaders should have the following additional knowledge and skills compared to auditors:
*Plan the audit, including preparing the audit plan, assigning work to the audit team members and coordinating their activities
*Make effective use of resources provided to the audit, such as personnel, time, budget and equipment
*Manage the audit process, including leading the opening and closing meetings, directing the audit team, resolving conflicts and ensuring the audit objectives are achieved
*Review and approve the audit report and audit findings
*Communicate with the client and other interested parties throughout the audit References: 1: PECB Candidate Handbook - ISO 27001 Lead Auditor, pages 9-10.
質問 # 156
關鍵的審計流程是審計員收集資訊並確定調查結果特徵的方式。按正確的順序列出列出的操作以完成此過程。最後一項已為您完成。
正解:
解説:
Explanation:
* Determine source of information
* Collect by means of appropriate sampling
* Reviewing
* Audit evidence
* Evaluating against audit criteria
* Audit findings
* Audit conclusions
The reviewing step involves checking the accuracy, completeness, and relevance of the collected information.
The audit evidence step involves documenting the information in a verifiable and traceable manner. The evaluating against audit criteria step involves comparing the audit evidence with the requirements of the ISO
27001 standard and the organization's own policies and objectives. The audit findings step involves identifying any nonconformities, weaknesses, or opportunities for improvement in the ISMS. The audit conclusions step involves summarizing the audit results and providing recommendations for corrective actions or enhancements.
質問 # 157
您是一位經驗豐富的 ISMS 審核團隊領導者。受訓的審核員已與您聯繫,要求您澄清她可能需要進行的不同類型的審核。
將以下審核類型與描述相符。
要填寫表格,請按一下要填寫的空白部分,以便反白顯示“In fed”,然後從下面的選項中按一下適用的文字。或者,您可以將每個選項拖曳到相應的空白部分。
正解:
解説:

質問 # 158
下列哪一個選項不是審核組組長的角色?
- A. 審核期間預防與解決衝突
- B. 設立道德委員會
- C. 準備並解釋審核結論
正解:B
解説:
The role of the audit team leader does not include setting up an ethics committee. The primary responsibilities of the audit team leader include planning the audit, directing the activities of the audit team, ensuring compliance with the auditing standards, managing conflicts that arise during the audit, and presenting audit conclusions.
References: ISO 19011:2018 Guidelines for auditing management systems
質問 # 159
在第三方認證審核的背景下,哪兩個選項規定了審核組長在管理審核和審核小組的管理職責?
- A. 審核高階管理人員
- B. 與受審核方建立聯繫
- C. 採用風險為本的方法來規劃審核
- D. 準備審核不合格報告
- E. 採訪 ISMS 經理
- F. 頒發管理體系證書
正解:B、C
質問 # 160
在第二階段審核的開幕會議上,客戶組織的總經理邀請審核團隊觀看 45 分鐘的新公司影片。審核組長應做出下列哪兩項回應?
- A. 建議可以在茶歇期間觀看該視頻
- B. 說明審核組長將在開幕會議後留下來代表團隊觀看視頻
- C. 說明審核小組將在稍後對觀看做出決定
- D. 邀請總經理當晚到審計師下榻的飯店參觀。
- E. 通知總經理審計團隊同意他的請求
- F. 建議總經理審計團隊必須遵守計畫的時間表
正解:A、F
解説:
According to ISO 19011:2018, which provides guidelines for auditing management systems, an opening meeting is a formal communication between the audit team and the auditee at the start of an audit1. The purpose of the opening meeting is to confirm the audit objectives, scope and criteria, introduce the audit team and their roles, confirm the audit plan and logistics, explain the audit methods and procedures, and establish the communication channels1. Therefore, if the Managing Director of the client organization invites the audit team to view a new company video lasting 45 minutes during the opening meeting of a Stage 2 audit, the audit team leader should respond in a way that does not compromise the effectiveness and efficiency of the audit or create any misunderstanding or conflict with the auditee. Two possible ways to respond are to advise the Managing Director that the audit team has to keep to the planned schedule, as there may be limited time and resources available for the audit; or to suggest that the video could be viewed during a refreshment break, if it is relevant and useful for the audit and does not interfere with other audit activities1. The other options are not appropriate responses for the audit team leader to make in this situation. For example, stating that the audit team leader will stay behind after the opening meeting to view the video on behalf of the team may imply that the video is not important or relevant for the rest of the audit team; inviting the Managing Director to the auditors' hotel for a viewing that evening may create an impression of bias or favouritism; stating that the audit team will make a decision on the viewing at a later time may be vague or indecisive; and advising the Managing Director that the audit team agrees to his request may result in wasting valuable audit time or losing focus on the audit objectives1. References: ISO 19011:2018 - Guidelines for auditing management systems
質問 # 161
下列哪兩個短語適用於業務流程的計畫-執行-檢查-行動週期中的「檢查」?
- A. 重設目標
- B. 管理變更
- C. 驗證訓練
- D. 進行改進
- E. 審核流程
- F. 更新資訊安全策略
正解:C、E
解説:
The two phrases that would apply to 'check' in the Plan-Do-Check-Act cycle for a business process are:
* C. Verifying training
* F. Auditing processes
* C. This phrase applies to 'check' in the PDCA cycle because it involves measuring and evaluating the effectiveness of the training activities that were implemented in the 'do' phase. Training is an important aspect of information security awareness, education, and competence, which are required by clause 7.2 of ISO 27001:20221. Verifying training can help the organisation to assess whether the staff have acquired the necessary knowledge, skills, and behaviour to perform their roles and responsibilities in relation to information security. Verifying training can also help the organisation to identify any gaps or weaknesses in the training program and to plan for improvement actions.
* F. This phrase applies to 'check' in the PDCA cycle because it involves examining and reviewing the performance and conformity of the processes that were implemented in the 'do' phase. Auditing is a systematic, independent, and documented process for obtaining objective evidence and evaluating it to determine the extent to which the audit criteria are fulfilled2. Auditing processes can help the organisation to verify whether the information security objectives and requirements are met, whether the information security controls are effective and efficient, and whether the information security risks are adequately managed. Auditing processes can also help the organisation to identify any nonconformities or opportunities for improvement and to plan for corrective or preventive actions.
References:
1: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, clause 7.2 2: ISO 19011:2018 - Guidelines for auditing management systems, clause 3.2
質問 # 162
您詢問 IT 經理,為什麼組織仍在使用行動應用程序,而個人資料加密和假名化測試卻失敗了。此外,服務經理是否有權批准測試。
IT經理解釋說,根據軟體安全管理程序,測試結果應由他批准。加密和假名功能失敗的原因是這些功能嚴重降低了系統和服務效能。需要額外 150% 的資源來滿足這一點。服務經理同意存取控制足夠好並且可以接受。這就是服務經理簽署批准書的原因。
您對醫務人員的手機進行採樣,發現安裝了 ABC 的醫療保健移動應用程序,版本 1.01。你發現1.01版本沒有測試記錄。
IT經理解釋說,由於勒索軟體攻擊頻繁,外包行動應用開發公司對受測軟體進行了免費小幅更新,並對更新後的軟體進行了緊急發布,並口頭保證不會對安全造成任何影響。
以他20年的資訊安全經驗來看,沒有必要重新測試。
您正在準備審核結果 請選擇兩個正確的選項。
- A. 不存在不合格項 (NC)。 IT 經理證明他完全有能力。 (與第7.2條相關)
- B. 存在不合格項 (NC)。組織不控制計劃的變更並審查非預期變更的後果。 (與第8.1條相關)
- C. 還有改進的機會 (OI)。該組織根據其提供的免費服務的範圍選擇外部服務提供者。 (與第 8.1 條相關,控制措施 A.5.21)
- D. 不存在不合格項 (NC)。 IT 經理展現了良好的領導能力。 (與條款相關
5.1,控制5.4) - E. 存在不合格項 (NC)。 IT 經理不遵守軟體安全管理程序。 (與第 8.1 條相關,控制措施 A.8.30)
- F. 還有改進的機會 (OI)。 IT 經理應根據適當的測試做出是否繼續提供服務的決定。 (與第 8.1 條相關,控制措施 A.8.30)
正解:B、E
解説:
According to ISO 27001:2022 Annex A Control 8.30, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes developing and entering into licensing agreements that cover code ownership and intellectual property rights, and implementing appropriate contractual requirements related to secure design and coding in accordance with Annex A 8.25 and 8.2912 In this case, the organisation and the developer have performed security tests that failed, which indicates that the secure design and coding requirements of Annex A 8.29 were not met. The IT Manager explains that the encryption and pseudonymization functions failed because they slowed down the system and service performance, and that an extra 150% of resources are needed to cover this. However, this does not justify the acceptance of the test results by the Service Manager, who is not authorised to approve the test according to the software security management procedure. The Service Manager should have consulted with the IT Manager, who is the owner of the process, and followed the procedure for handling nonconformities and corrective actions. The Service Manager's decision to continue the service based on access control alone exposes the organisation to the risk of compromising the confidentiality, integrity, and availability of personal data processed by the mobile app. Therefore, there is a nonconformity (NC) with clause 8.1, control A.8.30.
According to ISO 27001:2022 Clause 8.1, the organisation shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in Clause
6.1. The organisation shall also control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary12 In this case, the organisation has not controlled the planned change of the mobile app from version 1.0 to version 1.01, which was a minor update provided by the outsourced developer in response to frequent ransomware attacks. The IT Manager explains that the developer performed an emergency release of the updated software, and gave a verbal guarantee that there will be no impact on any security functions.
However, this is not sufficient to ensure that the change is properly assessed, tested, documented, and approved before deployment. The IT Manager should have followed the change management process and procedure, and verified that the updated software meets the security requirements and does not introduce any new vulnerabilities or risks. The IT Manager's reliance on his 20 years of information security experience and the developer's verbal guarantee is not a valid basis for skipping the re-testing of the software. Therefore, there is a nonconformity (NC) with clause 8.1.
References:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
質問 # 163
進行認證審核的審核員在製定審核計畫時不需要下列哪一份工作文件?
- A. 範例計劃
- B. 外部提供者列表
- C. IT 經理的職業經歷
- D. 清單
- E. 審核計劃
- F. 組織的財務報表
正解:B、C、F
解説:
According to ISO 19011:2018, which provides guidelines for auditing management systems, an auditor conducting a certification audit should prepare for an audit by reviewing relevant information about the auditee's context and processes1. This may include reviewing documented information related to the audited management system (such as policies, procedures, manuals), previous audit reports and records (such as findings, nonconformities, corrective actions), relevant legal and regulatory requirements (such as laws, standards), relevant risks and opportunities (such as internal and external issues), relevant performance indicators (such as objectives, targets), etc1. Therefore, an auditor may need work documents such as an audit plan (which defines what will be done during an audit), a sample plan (which defines how many samples will be taken from a population), and a checklist (which helps to ensure that all relevant aspects are covered during an audit)1. However, an auditor does not need work documents such as an organisation's financial statement (which is not directly related to information security management), a career history of the IT manager (which is not relevant to assessing conformity with ISO/IEC 27001:2022), or a list of external providers (which is not necessary for planning an audit)1. References: ISO 19011:2018 - Guidelines for auditing management systems
質問 # 164
場景9:UpNet是一家網路公司,已通過ISO/IEC 27001認證。
自從獲得 ISO/IEC 27001 認證以來,該公司的認可度大幅提高。此認證證實了 UpNefs 營運的成熟性及其符合廣泛認可和接受的標準。
但認證之後一切還沒結束。 UpNet 透過進行內部稽核不斷審查和增強其安全控制以及 ISMS 的整體有效性和效率。高階主管不願意聘請全職內部稽核團隊,因此決定將內部稽核職能外包。這種形式的內部稽核確保了獨立性、客觀性,並且在 ISMS 的持續改進方面發揮諮詢作用。
在初次認證審核後不久,該公司創建了一個專門從事數據和儲存產品的新部門。他們提供針對資料中心和基於軟體的網路設備(例如網路虛擬化和網路安全設備)進行最佳化的路由器和交換器。這導致 ISMS 認證範圍內已涵蓋的其他部門的營運發生變化。
所以。 UpNet 啟動了風險評估流程和內部稽核。根據內部審計結果,公司確認了現有和新流程和控制的有效性和效率。
由於新部門符合 ISO/IEC 27001 要求,最高管理層決定將其納入認證範圍。 UpNet宣布取得ISO/IEC 27001認證,認證範圍涵蓋全公司。
在初次認證審核一年後,認證機構對 UpNefs ISMS 進行了另一次審核。
此次審核旨在確定 UpNefs ISMS 是否符合指定的 ISO/IEC 27001 要求,並確保 ISMS 持續改善。審核小組確認,經過認證的 ISMS 繼續符合標準的要求。儘管如此,新部門對管理體系的治理產生了重大影響。此外,認證機構並未獲悉任何變更。因此,UpNefs認證被暫停。
根據上述場景,回答以下問題:
UpNet 將內部稽核職能外包,如場景 9 所示。
- A. 否,因為內部審核流程不僅僅包含審核計劃
- B. 不,內部稽核不一定必須是獨立且客觀的,因為它們具有諮商作用
- C. 是的,它提高了內部稽核的獨立性和公正性,因為審計員不具有與 ISMS 相關的營運角色
正解:C
解説:
Yes, outsourcing the internal audit function can positively impact the internal audit process by increasing its independence and impartiality. This helps ensure that the internal audits are conducted without any bias or influence from the company's internal management.
質問 # 165
選擇兩個描述使用清單的優點的選項。
- A. 限制訪談指定方
- B. 必要時不要改變清單
- C. 每次審核都使用相同的清單,無需審核
- D. 減少審核時間
- E. 確保遵循相關審核跟踪
- F. 確保審核計畫得到實施
正解:E、F
解説:
A checklist is a tool that helps auditors to collect and verify information relevant to the audit objectives and scope. It can provide the following advantages:
* Ensuring relevant audit trails are followed: A checklist can help auditors to identify and trace the sources of evidence that support the conformity or nonconformity of the audited criteria. It can also help auditors to avoid missing or overlooking any important aspects of the audit.
* Ensuring the audit plan is implemented: A checklist can help auditors to follow and fulfil the audit plan, which describes the arrangements and details of the audit, such as the objectives, scope, criteria, schedule, roles, and responsibilities. It can also help auditors to manage their time and resources effectively and efficiently.
The other options are not advantages of using a checklist, but rather:
* Using the same checklist for every audit without review: This is a disadvantage of using a checklist, as it can lead to a rigid and ineffective audit approach. A checklist should be tailored and adapted to each specific audit, taking into account the context, risks, and changes of the auditee and the audit criteria. A checklist should also be reviewed and updated periodically to ensure its validity and relevance.
* Restricting interviews to nominated parties: This is a disadvantage of using a checklist, as it can limit the scope and depth of the audit. A checklist should not prevent auditors from interviewing other relevant parties or sources of information that may provide valuable evidence or insights for the audit.
A checklist should be used as a guide, not as a constraint.
* Reducing audit duration: This is not necessarily an advantage of using a checklist, as it depends on various factors, such as the complexity, size, and maturity of the auditee's ISMS, the availability and quality of evidence, the competence and experience of the auditors, and the level of cooperation and communication between the auditors and the auditee. A checklist may help reduce audit duration by improving efficiency and organization, but it may also increase audit duration by requiring more evidence or verification.
* Not varying from the checklist when necessary: This is a disadvantage of using a checklist, as it can result in a superficial or incomplete audit. A checklist should not prevent auditors from exploring or investigating any issues or concerns that arise during the audit, even if they are not included in the checklist. A checklist should be used as a support, not as a substitute.
References:
* ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB
* ISO 19011:2018 Guidelines for auditing management systems [Section 6.2.2]
質問 # 166
您的組織目前正在尋求 ISO/IEC27001:2022 認證。您剛剛獲得內部 ISMS 審核員資格,ICT 經理希望利用您新獲得的知識來協助他設計資訊安全事件管理流程。
他確定了計劃流程中的以下階段,並要求您確認它們應按哪個順序出現。
正解:
解説:
Explanation:
Step 1 = Incident logging Step 2 = Incident categorisation Step 3 = Incident prioritisation Step 4 = Incident assignment Step 5 = Task creation and management Step 6 = SLA management and escalation Step 7 = Incident resolution Step 8 = Incident closure The order of the stages in the information security incident management process should follow a logical sequence that ensures a quick, effective, and orderly response to the incidents, events, and weaknesses. The order should also be consistent with the best practices and guidance provided by ISO/IEC 27001:2022 and ISO
/IEC 27035:2022. Therefore, the following order is suggested:
* Step 1 = Incident logging: This step involves recording the details of the potential incident, event, or weakness, such as the date, time, source, description, impact, and reporter. This step is important to provide a traceable record of the incident and to facilitate the subsequent analysis and response. This step is related to control A.16.1.1 of ISO/IEC 27001:2022, which requires the organization to establish responsibilities and procedures for the management of information security incidents, events, and weaknesses. This step is also related to clause 6.2 of ISO/IEC 27035:2022, which provides guidance on how to log the incidents, events, and weaknesses.
* Step 2 = Incident categorisation: This step involves determining the type and nature of the incident, event, or weakness, such as whether it is a hardware issue, network issue, or software issue. This step is important to classify the incident and to assign it to the appropriate resolver or team. This step is related to control A.16.1.2 of ISO/IEC 27001:2022, which requires the organization to report information security events and weaknesses as quickly as possible through appropriate management channels. This step is also related to clause 6.3 of ISO/IEC 27035:2022, which provides guidance on how to categorize the incidents, events, and weaknesses.
* Step 3 = Incident prioritisation: This step involves assessing the severity and urgency of the incident, event, or weakness, and classifying it as critical, high, medium, or low. This step is important to prioritize the incident and to allocate the necessary resources and time for the response. This step is related to control A.16.1.3 of ISO/IEC 27001:2022, which requires the organization to assess and prioritize information security events and weaknesses in accordance with the defined criteria. This step is also related to clause 6.4 of ISO/IEC 27035:2022, which provides guidance on how to prioritize the incidents, events, and weaknesses.
* Step 4 = Incident assignment: This step involves passing the incident, event, or weakness to the individual or team who is best suited to resolve it, based on their skills, knowledge, and availability.
This step is important to ensure that the incident is handled by the right person or team and to avoid delays or confusion. This step is related to control A.16.1.4 of ISO/IEC 27001:2022, which requires the organization to respond to information security events and weaknesses in a timely manner, according to the agreed procedures. This step is also related to clause 6.5 of ISO/IEC 27035:2022, which provides guidance on how to assign the incidents, events, and weaknesses.
* Step 5 = Task creation and management: This step involves identifying and coordinating the work needed to resolve the incident, event, or weakness, such as performing root cause analysis, testing solutions, implementing changes, and documenting actions. This step is important to ensure that the incident is resolved effectively and efficiently, and that the actions are tracked and controlled. This step is related to control A.16.1.5 of ISO/IEC 27001:2022, which requires the organization to apply lessons learned from information security events and weaknesses to take corrective and preventive actions. This step is also related to clause 6.6 of ISO/IEC 27035:2022, which provides guidance on how to create and manage the tasks for the incidents, events, and weaknesses.
* Step 6 = SLA management and escalation: This step involves ensuring that any service level agreements (SLAs) are adhered to while the resolution is being implemented, and that the incident is escalated to a higher level of authority or support if a breach looks likely or occurs. This step is important to ensure that the incident is resolved within the agreed time frame and quality, and that any deviations or issues are communicated and addressed. This step is related to control A.16.1.6 of ISO
/IEC 27001:2022, which requires the organization to communicate information security events and weaknesses to the relevant internal and external parties, as appropriate. This step is also related to clause 6.7 of ISO/IEC 27035:2022, which provides guidance on how to manage the SLAs and escalations for the incidents, events, and weaknesses.
* Step 7 = Incident resolution: This step involves applying a temporary workaround or a permanent solution to resolve the incident, event, or weakness, and restoring the normal operation of the information and information processing facilities. This step is important to ensure that the incident is resolved completely and satisfactorily, and that the information security is restored to the desired level.
This step is related to control A.16.1.7 of ISO/IEC 27001:2022, which requires the organization to identify the cause of information security events and weaknesses, and to take actions to prevent their recurrence or occurrence. This step is also related to clause 6.8 of ISO/IEC 27035:2022, which provides guidance on how to resolve the incidents, events, and weaknesses.
* Step 8 = Incident closure: This step involves closing the incident, event, or weakness, after verifying that it has been resolved satisfactorily, and that all the actions have been completed and documented.
This step is important to ensure that the incident is formally closed and that no further actions are required. This step is related to control A.16.1.8 of ISO/IEC 27001:2022, which requires the organization to collect evidence and document the information security events and weaknesses, and the actions taken. This step is also related to clause 6.9 of ISO/IEC 27035:2022, which provides guidance on how to close the incidents, events, and weaknesses.
References:
* ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements1
* PECB Candidate Handbook ISO/IEC 27001 Lead Auditor2
* ISO 27001:2022 Lead Auditor - PECB3
* ISO 27001:2022 certified ISMS lead auditor - Jisc4
* ISO/IEC 27001:2022 Lead Auditor Transition Training Course5
* ISO 27001 - Information Security Lead Auditor Course - PwC Training Academy6
* ISO/IEC 27035:2022, Information technology - Security techniques - Information security incident management
質問 # 167
CMM 代表什麼?
- A. 能力成熟度矩陣
- B. 有能力的成熟模型
- C. 能力成熟度矩陣
- D. 能力成熟度模型
正解:D
解説:
Capability Maturity Model (CMM) is a framework that describes the key elements of an effective software process. It defines five levels of maturity for software development organizations, from initial to optimized. The CMM helps organizations to assess their current level of process capability and identify the areas for improvement1. References: ISO/IEC 27001:2022 Lead Auditor - IECB
質問 # 168
資訊階段
- A. 創造、演化、維護、使用、處置
- B. 建立、分發、使用、維護、處置
- C. 建立、使用、處置、維護、演變
- D. 建立、分發、維護、處置、使用
正解:B
解説:
The stages of information are creation, distribution, use, maintenance, and disposition. These are the phases that information goes through during its lifecycle, from the moment it is generated to the moment it is destroyed or archived. Each stage of information has different security requirements and risks, and should be managed accordingly. Creation, evolution, maintenance, use, and disposition are not the correct stages of information, as evolution is not a distinct stage, but a process that can occur in any stage. Creation, use, disposition, maintenance, and evolution are not the correct stages of information, as they are not in the right order. Creation, distribution, maintenance, disposition, and use are not the correct stages of information, as they are not in the right order. References: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 32. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 12.
質問 # 169
您正在 ABC Healthcare Services 的療養院執行 ISO 27001 ISMS 監督審核。 ABC 使用由供應商 WeCare 設計和維護的醫療保健行動應用程式來監控居民的健康狀況。在審核過程中,您了解到90%的居民家庭成員每週都會透過電子郵件和簡訊定期收到WeCare的醫療器材廣告。 ABC 與 WeCare 之間的服務協議禁止供應商使用居民的個人資料。美國廣播公司已收到許多居民及其家人的投訴。
服務經理表示,這些投訴作為資訊安全事件進行了調查,發現這些投訴是合理的。
已根據不合格和糾正措施管理程序規劃並實施糾正措施。
您寫了一份不合格項“ABC 未能遵守與居民及其家庭成員的個人資料相關的資訊安全控制 A.5.34(隱私和 PII 保護)。供應商 WeCare 使用居民的個人資訊向家庭成員。”從列出的糾正和糾正措施中選擇您希望 ABC 針對不合格項採取的三個選項。
- A. ABC 要求 ISMS 顧問測試 ABC Healthcare 行動應用程式以防範網路犯罪。
- B. ABC 取消與 WeCare 的服務協定。
- C. ABC 為所有供應商引入了資訊安全績效背景調查。
- D. ABC 對 WeCare 違反合約採取法律行動。
- E. ABC 確認資訊安全控制 A.5.34 包含在適用性聲明 (SoA) 中。
- F. ABC 定期監控涉及第三方的所有適用法律和合約要求的遵守情況。
- G. ABC 停止使用 ABC Healthcare 行動應用程式。
- H. ABC 對所有員工進行維護資訊安全協定重要性的訓練。
正解:B、C、F
解説:
The three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity are:
* B. ABC cancels the service agreement with WeCare.
* E. ABC introduces background checks on information security performance for all suppliers.
* F. ABC periodically monitors compliance with all applicable legislation and contractual requirements involving third parties.
* B. This option is a possible correction and corrective action that ABC could take to address the nonconformity. A correction is the action taken to eliminate a detected nonconformity, while a corrective action is the action taken to eliminate the cause of a nonconformity and to prevent its recurrence1. By cancelling the service agreement with WeCare, ABC could stop the unauthorized use of residents' personal data and protect their privacy and rights. This could also prevent further complaints and legal issues from the residents and their family members. However, this option may also have some drawbacks, such as the loss of a service provider, the need to find an alternative solution, and the potential impact on the residents' well-being.
* E. This option is a possible corrective action that ABC could take to address the nonconformity. By introducing background checks on information security performance for all suppliers, ABC could ensure that they select and work with reliable and trustworthy partners who respect the confidentiality, integrity, and availability of the information they handle. This could also help ABC to comply with information security control A.15.1.1 (Information security policy for supplier relationships), which requires the organisation to agree and document information security requirements for mitigating the risks associated with supplier access to the organisation's assets2.
* F. This option is a possible corrective action that ABC could take to address the nonconformity. By periodically monitoring compliance with all applicable legislation and contractual requirements involving third parties, ABC could verify that the suppliers are fulfilling their obligations and responsibilities regarding information security. This could also help ABC to comply with information security control A.18.1.1 (Identification of applicable legislation and contractual requirements), which requires the organisation to identify, document, and keep up to date the relevant legislative, regulatory, contractual, and other requirements to which the organisation is subject3.
References:
1: ISO 27000:2018 - Information technology - Security techniques - Information security management systems - Overview and vocabulary, clause 3.9 and 3.10 2: ISO/IEC 27001:2022 - Information technology
- Security techniques - Information security management systems - Requirements, Annex A, control A.
15.1.1 3: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, Annex A, control A.18.1.1
質問 # 170
您正在療養院進行 ISMS 審核,療養院的住戶總是戴著電子腕帶來監測他們的位置、心跳和血壓。腕帶會自動將這些資料上傳到雲端伺服器,供工作人員進行醫療保健監控和分析。
您現在希望驗證最高管理層是否已製定資訊安全策略和目標。您正在對行動裝置策略進行抽樣,並確定該策略的安全目標是「確保遠端辦公和行動裝置使用的安全」。
禁止個人行動裝置連接至療養院網路、處理和儲存居民資料。
本公司在ISMS範圍內的行動裝置應在資產登記冊中登記。
本公司的行動裝置應實施或啟用實體保護,即密碼保護的螢幕鎖定/解鎖、臉部或指紋解鎖裝置。
本公司的行動裝置應定期備份。
若要驗證行動裝置策略和目標是否已實施且有效,請為稽核追蹤選擇三個選項。
- A. 採訪設備供應商,確保他們了解 ISMS 政策
- B. 從值班醫護人員處抽取部分行動設備,並與資產登記冊驗證行動裝置資訊
- C. 查看訪客登記簿,確保任何訪客都不能在療養院內攜帶個人手機
- D. 與接待人員面談,確保在進入療養院之前檢查所有訪客和員工的行李
- E. 查看內部審核報告以確保 IT 部門已接受審核
- F. 檢查資產註冊以確保所有個人行動裝置已註冊
- G. 與高階主管面談,核實他們參與制定資訊安全政策和資訊安全目標的情況
- H. 檢查資產註冊以確保所有公司的行動裝置已註冊
正解:B、E、H
解説:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 5.2 requires top management to establish an information security policy that provides the framework for setting information security objectives1. Clause 6.2 requires top management to ensure that the information security objectives are established at relevant functions and levels1. Therefore, when verifying that the information security policy and objectives have been established by top management, an ISMS auditor should review relevant documents and records that demonstrate top management's involvement and commitment.
To verify that the mobile device policy and objectives are implemented and effective, an ISMS auditor should review relevant documents and records that demonstrate how the policy and objectives are communicated, monitored, measured, analyzed, and evaluated. The auditor should also sample and verify the implementation of the controls that are stated in the policy.
Three options for the audit trail that are relevant to verifying the mobile device policy and objectives are:
* Review the internal audit report to make sure the IT department has been audited: This option is relevant because it can provide evidence of how the IT department, which is responsible for managing the mobile devices and their security, has been evaluated for its conformity and effectiveness in implementing the mobile device policy and objectives. The internal audit report can also reveal any nonconformities, corrective actions, or opportunities for improvement related to the mobile device policy and objectives.
* Sampling some mobile devices from on-duty medical staff and validate the mobile device information with the asset register: This option is relevant because it can provide evidence of how the mobile devices that are used by the medical staff, who are involved in processing and storing residents' data, are registered in the asset register and have physical protection enabled. This can verify the implementation and effectiveness of two of the controls that are stated in the mobile device policy.
* Review the asset register to make sure all company's mobile devices are registered: This option is relevant because it can provide evidence of how the company's mobile devices that are within the ISMS scope are identified and accounted for. This can verify the implementation and effectiveness of one of the controls that are stated in the mobile device policy.
The other options for the audit trail are not relevant to verifying the mobile device policy and objectives, as they are not related to the policy or objectives or their implementation or effectiveness. For example:
* Interview the reception personnel to make sure all visitor and employee bags are checked before entering the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding physical security or access control, but not specifically to mobile devices.
* Review visitors' register book to make sure no visitor can have their personal mobile phone in the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security awareness or compliance, but not specifically to mobile devices.
* Interview the supplier of the devices to make sure they are aware of the ISMS policy: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security within supplier relationships, but not specifically to mobile devices.
* Interview top management to verify their involvement in establishing the information security policy and the information security objectives: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to verifying that the information security policy and objectives have been established by top management, but not specifically to mobile devices.
References: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements
質問 # 171
外部審計師收到了對研究開發公司進行 ISMS 審計的邀請。在接受之前,他們與被審計方的內部稽核師(他們的朋友)討論了先前的審計報告。這是可以接受的嗎?
- A. 是的,審核員可以在接受審核委託之前審查並討論先前的審核報告
- B. 不可以,外部審核員只能與認證機構討論被審核方之前的審核報告
- C. 不,審計師即使在決定是否接受審計委託時也應保持客觀性
正解:C
解説:
No, the auditor should uphold objectivity even when deciding whether to accept the audit mandate or not.
Discussing previous audit reports with a friend who is an internal auditor at the auditee may compromise the external auditor's objectivity and independence.
References: ISO 19011:2018, Guidelines for auditing management systems, which emphasizes the need for auditors to maintain impartiality and confidentiality.
質問 # 172
下列哪一項是利害關係方的定義?
- A. 當第三人認為自己受到決策或活動的影響時,可以向組織提出申訴
- B. 可以控制決策或活動、被決策或活動控製或認為自己被決策或活動控制的個人或組織
- C. 可以影響決策或活動、受決策或活動影響或認為自己受決策或活動影響的個人或組織
- D. 可以乾擾管理決策或認為自己受到管理決策幹擾的團體或組織
正解:C
解説:
This is the definition of an interested party according to ISO 27001:2013, clause 3.16. An interested party is essentially a stakeholder, i.e., a person or organization that can influence or be influenced by the information security management system (ISMS) or its activities. Interested parties can have different needs and expectations regarding the ISMS, and these should be identified and addressed by the organization.
References:
* ISO/IEC 27001:2013, Information technology - Security techniques - Information security management systems - Requirements, clause 3.16
* PECB Candidate Handbook ISO 27001 Lead Auditor, page 10
* Identifying interested parties and their expectations for an ISO 27001 ISMS
* Examples of ISO 27001 interested parties
質問 # 173
您是審計團隊負責人,對一家線上保險公司進行第三方審計。在第一階段,您發現組織採取了非常謹慎的風險方法,並將 ISO/IEC 27001:2022 附錄 A 中的所有資訊安全控制措施納入其適用性聲明中。
在第二階段審核期間,您的審核團隊發現沒有證據顯示有實施三項控制措施(5.3 職責分離、6.1 篩選、7.12 佈線安全)的風險處理計畫。您針對 ISO 27001:2022 的第 6.1.3.e 條提出了不符合項。
在末次會議上,技術總監發布了修訂後的適用性聲明的摘錄(如圖所示),並要求撤回不合格項。
選擇審核組長對技術總監要求的正確回答的三個選項。
- A. 告知技術總監,一旦提出不合格項,就無法撤回。
- B. 通知技術總監,他的請求將包含在審核報告中。
- C. 建議技術總監該不合格項必須成立,因為所獲得的證據是明確的。
- D. 建議管理階層在審核員有更多時間時對所提供的資訊進行審核。
- E. 通知技術總監,不合格項將改為改善機會。
- F. 審查產生的文件並撤回不合格項。
- G. 說明有必要進行後續審核,以審查更新後的適用性聲明的證據。
- H. 詢問提出問題的審核員關於您應如何回應該請求的意見。
正解:B、C、G
解説:
The three options of the correct responses of an audit team leader to the request of the Technical Director are:
* B. Advise the Technical Director that his request will be included in the audit report.
* D. Advise the Technical Director that the nonconformity must stand since the evidence obtained for it was clear.
* H. State that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability.
* B. This response is correct because the audit team leader should document the request of the Technical Director and include it in the audit report, along with the audit findings and conclusions12. This will ensure transparency and traceability of the audit process and the audit results.
* D. This response is correct because the audit team leader should not withdraw the nonconformity based on the amended Statement of Applicability alone. The nonconformity was raised against clause 6.1.3.e of ISO 27001:2022, which requires the organisation to produce and maintain a risk treatment plan that defines how the information security risks are treated, including the controls selected and their implementation status34. The Statement of Applicability is only one part of the risk treatment plan, and it does not provide sufficient evidence that the controls have been implemented effectively. The audit team leader should base the nonconformity on the objective evidence obtained during the audit, not on the subjective claims of the auditee12.
* H. This response is correct because the audit team leader should state that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability. A follow up audit is an audit that is conducted after a previous audit to verify the implementation and effectiveness of the corrective actions and/or opportunities for improvement that were agreed upon as a result of the previous audit56. The follow up audit should seek to ensure that the nonconformity has been effectively addressed and that the ISMS is compliant and effective. The follow up audit should also consider any new or changed risks or requirements that may affect the ISMS56.
References:
1: PECB Candidate Handbook - ISO 27001 Lead Auditor, page 25 2: ISO 19011:2018 - Guidelines for auditing management systems, clause 6.7 3: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, clause 6.1.3.e 4: ISO/IEC 27005:
2022 - Information technology - Security techniques - Information security risk management, clause 8.3.2
5: PECB Candidate Handbook - ISO 27001 Lead Auditor, page 25 6: ISO 19011:2018 - Guidelines for auditing management systems, clause 6.7
質問 # 174
情境 4:SendPay 是一家金融公司,透過代理商和金融機構網路提供服務。他們的主要服務之一是在全球範圍內轉帳。 SendPay 作為一家新公司,致力於為客戶提供最優質的服務。由於該公司提供國際交易,因此要求客戶提供個人信息,例如身份、交易原因以及完成交易可能需要的其他詳細信息。因此,SendPay 已實施安全措施來保護客戶的訊息,包括偵測、調查和回應可能出現的任何資訊安全威脅。他們對提供安全服務的承諾也體現在 ISMS 實施過程中,該公司投入了大量時間和資源。
去年,SendPay 推出了他們的數位平台,允許透過智慧型手機或筆記型電腦等電子設備進行貨幣交易,而無需支付額外費用。透過這個平台,SendPay 的客戶可以隨時隨地發送和接收資金。該數位平台幫助SendPay簡化了公司營運並進一步拓展了業務。當時SendPay正在外包其軟體業務,因此該專案是由外包公司的軟體開發團隊完成的。
該團隊還負責維護 SendPay 的技術基礎設施。
最近,該公司在實施 ISMS 近一年後申請了 ISO/IEC 27001 認證。他們與符合其標準的認證機構簽訂了合約。不久之後,認證機構任命了一個由四名審核員組成的團隊來審核 SendPay 的 ISMS。
審計過程中,發現以下情況:
1.外包軟體公司在未事先通知的情況下終止了與SendPay的合約。結果,SendPay 無法立即將服務恢復到內部,其營運中斷了五天。審計人員要求 SendPay 的代表提供證據,證明他們在合約終止的情況下有計劃遵循。這些代表沒有提供任何書面證據,但在接受審計時,他們告訴審計人員,SendPay的高層已經確定了另外兩家軟體開發公司,如果類似情況再次發生,可以立即提供服務。
2. 沒有證據顯示對外包給軟體開發公司的活動進行了監控。 SendPay 的代表再次告訴審計人員,他們定期與軟體開發公司溝通,並適當地告知可能發生的任何變更。
3.防火牆測試未發現異常狀況。審核員測試了防火牆配置,以確定這些服務提供的安全等級。他們使用資料包分析器來測試防火牆策略,這使他們能夠即時檢查發送或接收的資料包。
根據該場景,回答以下問題:
SendPay 的代表表示,該公司沒有計劃與他們外包活動的公司終止合約。相反,最高管理層已經確定了另外兩家可以提供相同服務的軟體開發公司。您如何描述這種情況?
- A. 可以接受,SendPay可以決定是否制定類似的合約終止計劃,因此不需要額外的證據
- B. 不可接受,SendPay 用於識別替代軟體開發公司的證據和標準不充分
- C. 不可接受,SendPay 必須始終制定恢復計劃,說明公司應遵循哪些步驟
正解:C
解説:
ISO/IEC 27001 emphasizes the need for organizations to have a comprehensive incident management and recovery plan for various situations, including the termination of contracts with key service providers. In the case of SendPay, having a specific, documented recovery plan that outlines steps and protocols in case of sudden termination is necessary to ensure business continuity and compliance with the standard.
References: ISO/IEC 27001:2013 Standard, Clauses 6.1.3, A.16 (Information security incident management)
質問 # 175
......
ISO-IEC-27001-Lead-Auditor-CN認定概要最新のISO-IEC-27001-Lead-Auditor-CNPDF問題集はこちら:https://www.goshiken.com/PECB/ISO-IEC-27001-Lead-Auditor-CN-mondaishu.html
無料ISO-IEC-27001-Lead-Auditor-CN試験ブレーン問題集認定ガイド問題と解答:https://drive.google.com/open?id=1CvYLA3G0XyomggIQgYM0c5vPMMXsloaj