質問 1:An organisation is looking for management system initial certification. Please identify the sequence of the activities to be undertaken by the organisation.
To complete the sequence click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the options to the appropriate blank section.
正解:
質問 2:Select the option which best describes how Information Security Management System audits should be conducted:
A. Audit methods should be used to assess objective evidence in order to generate audit findings. Then, the audit conclusion should be created and presented to the auditee at the closing meeting.
B. Audit criteria should be used to assess circumstantial evidence in order to generate audit outcomes. Then, the audit report should be created and presented to the audit team at the audit team meeting.
C. Audit methods should be used to assess audit evidence in order to generate audit recommendations. Then, the audit recommendations should be created and presented to the auditee at the closing meeting.
D. Audit criteria should be used to assess objective evidence in order to generate audit outcomes. Then, the audit report should be created and presented to the audit team leader at the closing meeting.
E. Audit objectives should be used to assess objective evidence in order to generate audit conclusions. Then, the audit recommendations should be created and presented to top management at management review.
F. Audit objectives should be used to assess audit evidence in order to generate audit conclusions. Then, the audit findings should be created and presented to the audit client at the closing meeting.
正解:A
解説: (Topexam メンバーにのみ表示されます)
質問 3:You are carrying out your first third-party ISMS surveillance audit as an audit team leader. You are presently in the auditee's data centre with another member of your audit team and the organisation's guide.
You request access to a locked room protected by a combination lock and iris scanner. In the corner of the room is a collection of hard drives piled on a desk. You ask the guide what the status of the drives is. He tells you the drives are redundant and awaiting disposal. They should have been picked up last week, but the organisation's external provider of secure destruction services was unable to source a driver due to staff sickness. He says this has recently become more common though he does not know why. He then presents you with a job ticket that confirms the pickup has been rescheduled for tomorrow.
Based on the scenario above which three of the following actions would you now take?
A. Record a nonconformity against control A.5.13 'labelling of information' as the disk drives' status was unclear
B. Raise a nonconformity against control A.7.5, 'protecting against physical and environmental threats' because the drives have been left exposed on the desktop.
C. Record an opportunity for improvement in respect of the external provider's inventory management arrangements.
D. Ensure that the organisation's arrangements for the life cycle management of storage media have been adhered to.
E. Follow an audit trail to determine whether the organisation is complying with its obligations in respect of control A.5.22 'monitoring, review and change management of supplier services'.
F. Record the finding but note no further action is required as the pickup has now been rescheduled.
G. Raise a nonconformity against control A.7.7, 'clear desk and clear screen' because the drives have been left unprotected on the desktop.
H. Ensure that the organisation's arrangements for the secure disposal and reuse of equipment have been adhered to.
正解:D,E,H
質問 4:You are an experienced ISMS audit team leader, assisting an auditor in training to write their first audit report.
You want to check the auditor in training's understanding of terminology relating to the contents of an audit report and chose to do this by presenting the following examples.
For each example, you ask the auditor in training what the correct term is that describes the activity Match the activity to the description.
正解:
質問 5:Which two of the following statements are true?
A. The purpose of an ISMS is to apply a risk management process for preserving information security.
B. The purpose of an ISMS is to demonstrate compliance with regulatory requirements.
C. The purpose of an ISMS is to demonstrate awareness of information security issues by management.
D. The benefit of certifying an ISMS is to increase the number of customers.
E. The benefits of implementing an ISMS primarily result from a reduction in information security risks.
F. The benefit of certifying an ISMS is to show the accreditation certificate on the website.
正解:A,E
解説: (Topexam メンバーにのみ表示されます)
質問 6:Scenario 5: Data Grid Inc. is a well-known company that delivers security services across the entire information technology infrastructure. It provides cybersecurity software, including endpoint security, firewalls, and antivirus software. For two decades, Data Grid Inc. has helped various companies secure their networks through advanced products and services. Having achieved reputation in the information and network security field, Data Grid Inc. decided to obtain the ISO/IEC 27001 certification to better secure its internal and customer assets and gain competitive advantage.
Data Grid Inc. appointed the audit team, who agreed on the terms of the audit mandate. In addition, Data Grid Inc. defined the audit scope, specified the audit criteria, and proposed to close the audit within five days. The audit team rejected Data Grid Inc.'s proposal to conduct the audit within five days, since the company has a large number of employees and complex processes. Data Grid Inc. insisted that they have planned to complete the audit within five days, so both parties agreed upon conducting the audit within the defined duration. The audit team followed a risk-based auditing approach.
To gain an overview of the main business processes and controls, the audit team accessed process descriptions and organizational charts. They were unable to perform a deeper analysis of the IT risks and controls because their access to the IT infrastructure and applications was restricted. However, the audit team stated that the risk that a significant defect could occur to Data Grid Inc.'s ISMS was low since most of the company's processes were automated. They therefore evaluated that the ISMS, as a whole, conforms to the standard requirements by asking the representatives of Data Grid Inc. the following questions:
* How are responsibilities for IT and IT controls defined and assigned?
* How does Data Grid Inc. assess whether the controls have achieved the desired results?
* What controls does Data Grid Inc. have in place to protect the operating environment and data from malicious software?
* Are firewall-related controls implemented?
Data Grid Inc.'s representatives provided sufficient and appropriate evidence to address all these questions.
The audit team leader drafted the audit conclusions and reported them to Data Grid Inc.'s top management. Though Data Grid Inc. was recommended for certification by the auditors, misunderstandings were raised between Data Grid Inc. and the certification body in regards to audit objectives. Data Grid Inc. stated that even though the audit objectives included the identification of areas for potential improvement, the audit team did not provide such information.
Based on this scenario, answer the following question:
Data Grid Inc. is responsible for all the actions below, EXCEPT:
A. Appointing the audit team
B. Specifying the audit criteria
C. Defining the audit scope
正解:A
解説: (Topexam メンバーにのみ表示されます)
質問 7:Which option below is NOT a role of the audit team leader?
A. Setting up an ethics committee
B. Preparing and explaining the audit conclusions
C. Preventing and solving conflict during the audit
正解:A
解説: (Topexam メンバーにのみ表示されます)
質問 8:Scenario 3: NightCore is a multinational technology company based in the United States that focuses on e-commerce, cloud computing, digital streaming, and artificial intelligence. After having an information security management system (ISMS) implemented for over 8 months, they contracted a certification body to conduct a third party audit in order to get certified against ISO/IEC 27001.
The certification body set up a team of seven auditors. Jack, the most experienced auditor, was assigned as the audit team leader. Over the years, he received many well known certifications, such as the ISO/IEC 27001 Lead Auditor, CISA, CISSP, and CISM.
Jack conducted thorough analyses on each phase of the ISMS audit, by studying and evaluating every information security requirement and control that was implemented by NightCore. During stage 2 audit. Jack detected several nonconformities. After comparing the number of purchased invoices for software licenses with the software inventory, Jack found out that the company has been using the illegal versions of a software for many computers. He decided to ask for an explanation from the top management about this nonconformity and see whether they were aware about this. His next step was to audit NightCore's IT Department. The top management assigned Tom, NightCore's system administrator, to act as a guide and accompany Jack and the audit team toward the inner workings of their system and their digital assets infrastructure.
While interviewing a member of the Department of Finance, the auditors discovered that the company had recently made some unusual large transactions to one of their consultants. After gathering all the necessary details regarding the transactions. Jack decided to directly interview the top management.
When discussing about the first nonconformity, the top management told Jack that they willingly decided to use a copied software over the original one since it was cheaper. Jack explained to the top management of NightCore that using illegal versions of software is against the requirements of ISO/IEC 27001 and the national laws and regulations. However, they seemed to be fine with it.
Several months after the audit, Jack sold some of NightCore's information that he collected during the audit for a huge amount of money to competitors of NightCore.
Based on this scenario, answer the following question:
Based on scenario 3. which ISO/IEC 27001 control has NightCore ignored when they used an illegal version of software?
A. Annex A 5.32 Intellectual property rights
B. Annex A 5.1 Policies for information security
C. Annex A 5.10 Acceptable use of information and other associated assets
正解:A
解説: (Topexam メンバーにのみ表示されます)
PECB ISO-IEC-27001-Lead-Auditor 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|
| トピック 1 | - Fundamental audit concepts and principles: Exam-takers are tested in this section about basic audit concepts and rules.
|
| トピック 2 | - Managing an ISO
- IEC 27001 audit program: This section of the exam covers managing the internal audit activity and assessment of plans.
|
| トピック 3 | - Conducting an ISO
- IEC 27001 audit: This section of the exam covers activities during the audit conducting process such as communication during the audit process and testing audit strategies.
|
参照:https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001/iso-iec-27001-lead-auditor
弊社は無料PECB ISO-IEC-27001-Lead-Auditorサンプルを提供します
お客様は問題集を購入する時、問題集の質量を心配するかもしれませんが、我々はこのことを解決するために、お客様に無料ISO-IEC-27001-Lead-Auditorサンプルを提供いたします。そうすると、お客様は購入する前にサンプルをダウンロードしてやってみることができます。君はこのISO-IEC-27001-Lead-Auditor問題集は自分に適するかどうか判断して購入を決めることができます。
ISO-IEC-27001-Lead-Auditor試験ツール:あなたの訓練に便利をもたらすために、あなたは自分のペースによって複数のパソコンで設置できます。
弊社は失敗したら全額で返金することを承諾します
我々は弊社のISO-IEC-27001-Lead-Auditor問題集に自信を持っていますから、試験に失敗したら返金する承諾をします。我々のPECB ISO-IEC-27001-Lead-Auditorを利用して君は試験に合格できると信じています。もし試験に失敗したら、我々は君の支払ったお金を君に全額で返して、君の試験の失敗する経済損失を減少します。
安全的な支払方式を利用しています
Credit Cardは今まで全世界の一番安全の支払方式です。少数の手続きの費用かかる必要がありますとはいえ、保障があります。お客様の利益を保障するために、弊社のISO-IEC-27001-Lead-Auditor問題集は全部Credit Cardで支払われることができます。
領収書について:社名入りの領収書が必要な場合、メールで社名に記入していただき送信してください。弊社はPDF版の領収書を提供いたします。
TopExamは君にISO-IEC-27001-Lead-Auditorの問題集を提供して、あなたの試験への復習にヘルプを提供して、君に難しい専門知識を楽に勉強させます。TopExamは君の試験への合格を期待しています。
一年間の無料更新サービスを提供します
君が弊社のPECB ISO-IEC-27001-Lead-Auditorをご購入になってから、我々の承諾する一年間の更新サービスが無料で得られています。弊社の専門家たちは毎日更新状態を検査していますから、この一年間、更新されたら、弊社は更新されたPECB ISO-IEC-27001-Lead-Auditorをお客様のメールアドレスにお送りいたします。だから、お客様はいつもタイムリーに更新の通知を受けることができます。我々は購入した一年間でお客様がずっと最新版のPECB ISO-IEC-27001-Lead-Auditorを持っていることを保証します。
弊社のPECB ISO-IEC-27001-Lead-Auditorを利用すれば試験に合格できます
弊社のPECB ISO-IEC-27001-Lead-Auditorは専門家たちが長年の経験を通して最新のシラバスに従って研究し出した勉強資料です。弊社はISO-IEC-27001-Lead-Auditor問題集の質問と答えが間違いないのを保証いたします。
この問題集は過去のデータから分析して作成されて、カバー率が高くて、受験者としてのあなたを助けて時間とお金を節約して試験に合格する通過率を高めます。我々の問題集は的中率が高くて、100%の合格率を保証します。我々の高質量のPECB ISO-IEC-27001-Lead-Auditorを利用すれば、君は一回で試験に合格できます。
PDF版 Demo
品質保証TopExamは我々の専門家たちの努力によって、過去の試験のデータが分析されて、数年以来の研究を通して開発されて、多年の研究への整理で、的中率が高くて99%の通過率を保証することができます。
一年間の無料アップデートTopExamは弊社の商品をご購入になったお客様に一年間の無料更新サービスを提供することができ、行き届いたアフターサービスを提供します。弊社は毎日更新の情況を検査していて、もし商品が更新されたら、お客様に最新版をお送りいたします。お客様はその一年でずっと最新版を持っているのを保証します。
全額返金弊社の商品に自信を持っているから、失敗したら全額で返金することを保証します。弊社の商品でお客様は試験に合格できると信じていますとはいえ、不幸で試験に失敗する場合には、弊社はお客様の支払ったお金を全額で返金するのを承諾します。(
ご購入の前の試用TopExamは無料なサンプルを提供します。弊社の商品に疑問を持っているなら、無料サンプルを体験することができます。このサンプルの利用を通して、お客様は弊社の商品に自信を持って、安心で試験を準備することができます。
