PECB ISO-IEC-27001-Lead-Auditor 問題集

質問 1：
As an auditor, you have noticed that ABC Inc. has established a procedure to manage the removable storage medi a. The procedure is based on the classification scheme adopted by ABC Inc. Thus, if the information stored is classified as "confidential," the procedure applies. On the other hand, the information that is classified as "public," does not have confidentiality requirements: thus, only a procedure for ensuring its integrity and availability applies. What type of audit finding is this?
A. Anomaly
B. Conformity
C. Nonconformity
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 2：
Which two of the following statements are true?
A. The audit programme describes the arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose.
B. The audit plan describes the arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose.
C. Once agreed, the audit plan is fixed and cannot be changed during the conducting of the audi.
D. The audit plan describes the activities and arrangements for an audit.
E. Responsibility for managing the audit programme rests with the audit team leader.
F. The audit programme describes the activities and arrangements for an audit.
正解：B,D
解説: (Topexam メンバーにのみ表示されます)

質問 3：
Scenario 7: Webvue. headquartered in Japan, is a technology company specializing in the development, support, and maintenance of computer software. Webvue provides solutions across various technology fields and business sectors. Its flagship service is CloudWebvue, a comprehensive cloud computing platform offering storage, networking, and virtual computing services. Designed for both businesses and individual users. CloudWebvue is known for its flexibility, scalability, and reliability.
Webvue has decided to only include CloudWebvue in its ISO/IEC 27001 certification scope. Thus, the stage 1 and 2 audits were performed simultaneously Webvue takes pride in its strictness regarding asset confidentiality They protect the information stored in CloudWebvue by using appropriate cryptographic controls. Every piece of information of any classification level, whether for internal use. restricted, or confidential, is first encrypted with a unique corresponding hash and then stored in the cloud The audit team comprised five persons Keith. Sean. Layla, Sam. and Tin a. Keith, the most experienced auditor on the IT and information security auditing team, was the audit team leader. His responsibilities included planning the audit and managing the audit team. Sean and Layla were experienced in project planning, business analysis, and IT systems (hardware and application) Their tasks included audit planning according to Webvue's internal systems and processes Sam and Tina, on the other hand, who had recently completed their education, were responsible for completing the day-to-day tasks while developing their audit skills While verifying conformity to control 8.24 Use of cryptography of ISO/IEC 27001 Annex A through interviews with the relevant staff, the audit team found out that the cryptographic keys have been initially generated based on random bit generator (RBG) and other best practices for the generation of the cryptographic keys. After checking Webvue's cryptography policy, they concluded that the information obtained by the interviews was true. However, the cryptographic keys are still in use because the policy does not address the use and lifetime of cryptographic keys.
As later agreed upon between Webvue and the certification body, the audit team opted to conduct a virtual audit specifically focused on verifying conformity to control 8.11 Data Masking of ISO/IEC 27001 within Webvue, aligning with the certification scope and audit objectives. They examined the processes involved in protecting data within CloudWebvue. focusing on how the company adhered to its policies and regulatory standards. As part of this process. Keith, the audit team leader, took screenshot copies of relevant documents and cryptographic key management procedures to document and analyze the effectiveness of Webvue's practices.
Webvue uses generated test data for testing purposes. However, as determined by both the interview with the manager of the QA Department and the procedures used by this department, sometimes live system data are used. In such scenarios, large amounts of data are generated while producing more accurate results. The test data is protected and controlled, as verified by the simulation of the encryption process performed by Webvue's personnel during the audit While interviewing the manager of the QA Department, Keith observed that employees in the Security Training Department were not following proper procedures, even though this department fell outside the audit scope. Despite the exclusion in the audit scope, the non conformity in the Security Training Department has potential implications for the processes within the audit scope, specifically impacting data security and cryptographic practices in CloudWebvue. Therefore, Keith incorporated this finding into the audit report and accordingly informed the auditee.
Based on the scenario above, answer the following question:
Based on Scenario 7, was Keith's choice regarding the incorporation of the Security Training Department in the audit report appropriate?
A. No, he should have included it without informing the auditee about the observed situation
B. Yes, he should have incorporated the Security Training Department in the audit report
C. No, he should not have included it and only informed the auditee about the observed situation
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 4：
You are an experienced ISMS auditor conducting a third-party surveillance audit at an organisation which offers ICT reclamation services. ICT equipment which companies no longer require is processed by the organisation. It is either recommissioned and reused or is securely destroyed.
You notice two servers on a bench in the corner of the room. Both have stickers on them with the server's name, IP address and admin password. You ask the ICT Manager about them, and he tells you they were part of a shipment received yesterday from a regular customer.
Which one action should you take?
A. Raise a nonconformity against control 8.20 'network security' (networks and network devices shall be secured, managed and controlled to protect information in systems and applications)
B. Record what you have seen in your audit findings, but take no further action
C. Ask the ICT Manager to record an information security incident and initiate the information security incident management process
D. Note the audit finding and check the process for dealing with incoming shipments relating to customer IT security
E. Raise a nonconformity against control 5.31 'Legal, staturary, regulatory and contractual requirements'
F. Ask the auditee to remove the labels, then carry on with the audit
正解：D

質問 5：
Scenario:
Northstorm is an online retail shop offering unique vintage and modern accessories. It initially entered a small market but gradually grew thanks to the development of the overall e-commerce landscape. Northstorm works exclusively online and ensures efficient payment processing, inventory management, marketing tools, and shipment orders. It uses prioritized ordering to receive, restock, and ship its most popular products.
Northstorm has traditionally managed its IT operations by hosting its website and maintaining full control over its infrastructure, including hardware, software, and data administration. However, this approach hindered its growth due to the lack of responsive infrastructure. Seeking to enhance its e-commerce and payment systems, Northstorm opted to expand its in-house data centers, completing the expansion in two phases over three months. Initially, the company upgraded its core servers, point-of-sale, ordering, billing, database, and backup systems. The second phase involved improving mail, payment, and network functionalities. Additionally, during this phase, Northstorm adopted an international standard for personally identifiable information (PII) controllers and PII processors regarding PII processing to ensure its data handling practices were secure and compliant with global regulations.
Despite the expansion, Northstorm's upgraded data centers failed to meet its evolving business demands. This inadequacy led to several new challenges, including issues with order prioritization. Customers reported not receiving priority orders, and the company struggled with responsiveness. This was largely due to the main server's inability to process orders from YouDecide, an application designed to prioritize orders and simulate customer interactions. The application, reliant on advanced algorithms, was incompatible with the new operating system (OS) installed during the upgrade.
Faced with urgent compatibility issues, Northstorm quickly patched the application without proper validation, leading to the installation of a compromised version. This security lapse resulted in the main server being affected and the company's website going offline for a week. Recognizing the need for a more reliable solution, the company decided to outsource its website hosting to an e-commerce provider. The company signed a confidentiality agreement concerning product ownership and conducted a thorough review of user access rights to enhance security before transitioning.
Which of the following is a preventive control based on Scenario 1?
A. Using an application that prioritized orders based on its prior knowledge
B. Signing a confidentiality agreement
C. Expanding the capacity of the in-house data center
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 6：
You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in the auditee's data centre with another member of your audit team.
Your colleague seems unsure as to the difference between an information security event and an information security incident. You attempt to explain the difference by providing examples.
Which three of the following scenarios can be defined as information security incidents?
A. The organisation fails a third-party penetration test
B. A contractor who has not been paid deletes top management ICT accounts
C. An employee fails to clear their desk at the end of their shift
D. The organisation receives a phishing email
E. A hard drive is used after its recommended replacement date
F. The organisation's malware protection software prevents a virus
G. An unhappy employee changes payroll records without permission
H. The organisation's marketing data is copied by hackers and sold to a competitor
正解：B,G,H
解説: (Topexam メンバーにのみ表示されます)

質問 7：
The following are definitions of Information, except:
A. can lead to understanding and decrease in uncertainty
B. mature and measurable data
C. specific and organized data for a purpose
D. accurate and timely data
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 8：
When multiple offices of a certification body are involved, what must be ensured?
A. A legally enforceable agreement that covers all sites within the certification scope
B. Only the main office has a legally enforceable agreement with the client
C. Each office has a separate legally enforceable agreement with the client
正解：A
解説: (Topexam メンバーにのみ表示されます)