PECB ISO-IEC-27001-Lead-Auditor 問題集

質問 1：
You are performing an ISMS audit at a residential nursing home that provides healthcare services. The next step in your audit plan is to verify the information security of the business continuity management process. During the audit, you learned that the organisation activated one of the business continuity plans (BCPs) to make sure the nursing service continued during the recent pandemic. You ask Service Manager to explain how the organisation manages information security during the business continuity management process.
The Service Manager presents the nursing service continuity plan for a pandemic and summarises the process as follows:
Stop the admission of any NEW residents.
70% of administration staff and 30% of medical staff will work from home.
Regular staff self-testing including submitting a negative test report 1 day BEFORE they come to the office.
Install ABC's healthcare mobile app, tracking their footprint and presenting a GREEN Health Status QR-Code for checking on the spot.
You ask the Service Manager how to prevent non-relevant family members or interested parties from accessing residents' personal data when staff work from home. The Service Manager cannot answer and suggests the n" Security Manager should help with that.
You would like to further investigate other areas to collect more audit evidence Select three options that will be in your audit trail.
A. Collect more evidence on how the organisation makes sure only staff with a negative test result can enter the organisation (Relevant to control A.7.2)
B. Collect more evidence on what resources the organisation provides to support the staff working from home. (Relevant to clause 7.1)
C. Collect more evidence on how and when the Business Continuity Wan has been tested. (Relevant to control A.5.29)
D. Collect more evidence on how the organisation manages information security on mobile devices and during teleworking (Relevant to control A.6.7)
E. Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home. (Relevant to clause 6)
F. Collect more evidence by interviewing more staff about their feeling about working from home. (Relevant to clause 4.2)
正解：A,C,D
解説: (Topexam メンバーにのみ表示されます)

質問 2：
Which two of the following options for information are not required for audit planning of a certification audit?
A. An audit checklist
B. An organisation's financial statement
C. A document review
D. An audit plan
E. A sampling plan
F. The working experience of the management system representative
正解：B,F
解説: (Topexam メンバーにのみ表示されます)

質問 3：
Which two of the following statements are true?
A. The purpose of an ISMS is to apply a risk management process for preserving information security.
B. The purpose of an ISMS is to demonstrate compliance with regulatory requirements.
C. The purpose of an ISMS is to demonstrate awareness of information security issues by management.
D. The benefit of certifying an ISMS is to increase the number of customers.
E. The benefits of implementing an ISMS primarily result from a reduction in information security risks.
F. The benefit of certifying an ISMS is to show the accreditation certificate on the website.
正解：A,E
解説: (Topexam メンバーにのみ表示されます)

質問 4：
You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including misaddressed labels and, in 15% of cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SM: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity. Referencing the scenario, which three of the following Annex A controls would you expect the auditee to have implemented when you conduct the follow-up audit?
A. 5.11 Return of assets
B. 5.6 Contact with special interest groups
C. 6.3 Information security awareness, education, and training
D. 5.34 Privacy and protection of personal identifiable information (PII)
E. 6.4 Disciplinary process
F. 5.13 Labelling of information
G. 5.32 Intellectual property rights
H. 5.3 Segregation of duties
正解：C,D,F
解説: (Topexam メンバーにのみ表示されます)

質問 5：
Scenario 5: Cobt. an insurance company in London, offers various commercial, industrial, and life insurance solutions. In recent years, the number of Cobt's clients has increased enormously. Having a huge amount of data to process, the company decided that certifying against ISO/IEC 27001 would bring many benefits to securing information and show its commitment to continual improvement. While the company was well-versed in conducting regular risk assessments, implementing an ISMS brought major changes to its daily operations. During the risk assessment process, a risk was identified where significant defects occurred without being detected or prevented by the organizations internal control mechanisms.
The company followed a methodology to implement the ISMS and had an operational ISMS in place after only a few months After successfully implementing the ISMS, Cobt applied for ISO/IEC 27001 certification Sarah, an experienced auditor, was assigned to the audit Upon thoroughly analyzing the audit offer, Sarah accepted her responsibilities as an audit team leader and immediately started to obtain general information about Cobt She established the audit criteria and objective, planned the audit, and assigned the audit team members' responsibilities.
Sarah acknowledged that although Cobt has expanded significantly by offering diverse commercial and insurance solutions, it still relies on some manual processes Therefore, her initial focus was to gather information on how the company manages its information security risks Sarah contacted Cobt's representatives to request access to information related to risk management for the off-site review, as initially agreed upon for part of the audit However, Cobt later refused, claiming that such information is too sensitive to be accessed outside of the company This refusal raised concerns about the audit's feasibility, particularly regarding the availability and cooperation of the auditee and access to evidence Moreover, Cobt raised concerns about the audit schedule, stating that it does not properly reflect the recent changes the company made It pointed out that the actions to be performed during the audit apply only to the initial scope and do not encompass the latest changes made in the audit scope Sarah also evaluated the materiality of the situation, considering the significance of the information denied for the audit objectives. In this case, the refusal by Cobt raised questions about the completeness of the audit and its ability to provide reasonable assurance. Following these situations, Sarah decided to withdraw from the audit before a certification agreement was signed and communicated her decision to Cobt and the certification body. This decision was made to ensure adherence to audit principles and maintain transparency, highlighting her commitment to consistently upholding these principles.
Based on the scenario above, answer the following question:
What type of risk did Cobt identify during the last risk assessment?
A. Detection risk
B. Inherent risk
C. Control risk
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 6：
Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies.
The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard.
But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.
Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.
Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.
The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.
One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the UpNefs certification was suspended.
Based on the scenario above, answer the following question:
UpNet announced that the ISMS certification scope encompasses the whole company once ensuring that the new department also complies with the ISO/IEC 27001 requirements. How would you classify this situation illustrated in scenario 9?
A. Unacceptable, UpNet should have requested and granted an extension audit prior to making the announcement
B. Unacceptable, the internal auditor should have approved the extension audit, not the top management
C. Acceptable, the internal audit confirmed the effectiveness and efficiency of the existing and new processes and controls
正解：A

質問 7：
Select the words that best complete the sentence:
To complete the sentence with the word(s) click on the blank section you want to complete so that it is highlighted in red, and then click on the application text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

正解：


質問 8：
Which of the following best defines managerial controls?
A. Controls related to the use of technical measures or technologies, such as firewalls, alarm systems, surveillance cameras, and IDSs
B. Controls related to the management of personnel, including training of employees, management reviews, and internal audits
C. Controls related to organizational structure, such as segregation of duties, job rotations, job descriptions, and approval processes
正解：B
解説: (Topexam メンバーにのみ表示されます)