PECB ISO-IEC-27001-Lead-Auditor 問題集

質問 1：
Which two of the following actions are the individual(s) managing the audit programme responsible for?
A. Defining the plan of an individual audit
B. Communicating with the auditee during the audit
C. Determining the resources necessary for the audit programme
D. Defining the objectives, scope and criteria for an individual audit
E. Keping informed the accreditation body on the progress of the audit programme
F. Determining the legal requirements applicable to each audit
正解：C,E
解説: (Topexam メンバーにのみ表示されます)

質問 2：
During a third-party certification audit, you are presented with a list of issues by an auditee. Which four of the following constitute 'internal' issues in the context of a management system to ISO 27001:2022?
A. Inability to source raw materials due to government sanctions
B. A rise in interest rates in response to high inflation
C. A fall in productivity linked to outdated production equipment
D. Increased absenteeism as a result of poor management
E. A reduction in grants as a result of a change in government policy
F. Poor levels of staff competence as a result of cuts in training expenditure
G. Poor morale as a result of staff holidays being reduced
H. Higher labour costs as a result of an aging population
正解：C,D,F,G
解説: (Topexam メンバーにのみ表示されます)

質問 3：
As the ISMS audit team leader, you are conducting a second-party audit of an international logistics company on behalf of an online retailer. During the audit, one of your team members reports a nonconformity relating to control 5.18 (Access rights) of Appendix A of ISO/IEC 27001:2022. She found evidence that removing the server access protocols of 20 people who left in the last 3 months took up to 1 week whereas the policy required removing access within 24 hours of their departure.
Complete the sentence with the best word(s), dick on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

正解：

Explanation:
The purpose of including access rights in an information management system to ISO/IEC 27001:2022 is to provide, review, modify and remove these permissions in accordance with the organisation's policy and rules for access control.
Access rights are the permissions granted to users or groups of users to access, use, modify, or delete information assets. Access rights should be aligned with the organisation's access control policy, which defines the objectives, principles, roles, and responsibilities for managing access to information systems.
Access rights should also follow the organisation's rules for access control, which specify the criteria, procedures, and controls for granting, reviewing, modifying, and revoking access rights. The purpose of including access rights in an information management system is to ensure that only authorised users can access information assets according to their business needs and roles, and to prevent unauthorised or inappropriate access that could compromise the confidentiality, integrity, or availability of information assets. References:
* ISO/IEC 27001:2022 Annex A Control 5.181
* ISO/IEC 27002:2022 Control 5.182
* CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Training Course3

質問 4：
Which two of the following phrases would apply to "audit objectives"?
A. Auditor competence
B. Checking legal compliance
C. Revising management policy
D. Determining conformity
E. Audit duration
F. Identifying opportunities for improvement, if required
正解：D,F
解説: (Topexam メンバーにのみ表示されます)

質問 5：
How does the use of new technologies such as big data impact auditing?
A. It presents new challenges, for example, combining structured and unstructured data
B. It enhances the audit quality by enabling auditors to collect higher quality audit evidence
C. It causes significant disruptions, for example, introducing data that is too large or complex for processing by traditional database management tools
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 6：
You are carrying out a third-party surveillance audit of a client's ISMS. You are currently in the secure storage area of the data centre where the organisation's customers are able to temporarily locate equipment coming into or going out of the site. The equipment is contained within locked cabinets and each cabinet is allocated to a single, specific client.
Out of the corner of your eye you spot movement near the external door of the storage area. This is followed by a loud noise. You ask the guide what is going on. They tell you that recent high rainfall has raised local river levels and caused an infestation of rats. The noise was a specialist pest control stunning device being triggered. You check the device in the corner and find there is a large immobile rat contained within it.
What three actions would be appropriate to take next?
A. Assist the guide in humanely disposing of the rat and reset the device
B. Determine whether the high levels of rainfall have had other impacts on data centre operations e.g.
damage to infrastructure, access issues for clients, invocation of business continuity arrangements
C. Investigate whether pest infestation is an identified risk and if so, what risk treatment is to be applied
D. Raise a nonconformity against control 7.2 Physical Entry
E. Check with the guide that they intend to initiate the organisation's information security incident process
F. Inspect the client cabinets for signs of rodent ingress and record your findings as audit evidence
G. Raise a nonconformity against control 7.4 Physical Security monitoring
H. Take no further action. This is an ISMS audit, not an environmental management system audit
正解：B,C,E
解説: (Topexam メンバーにのみ表示されます)

質問 7：
An organization does not check the source code of the updated version of an application when it is updated automatically. Thus, the application may be open to unauthorized modifications. This represents a _________________ that may impact information
___________________
A. Vulnerability, (2) integrity
B. Risk, (2) availability
C. Threat, (2) confidentiality
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 8：
Which two of the following phrases would apply to "plan" in relation to the Plan-Do-Check-Act cycle for a business process?
A. Retaining documentation
B. Retaining documentation
C. Setting objectives
D. Training staff
E. Organising changes
F. Providing ICT assets
正解：C,D
解説: (Topexam メンバーにのみ表示されます)