PECB ISO-IEC-27001-Lead-Auditor 問題集

質問 1：
Select the words that best complete the sentence:
"The purpose of maintaining regulatory compliance in a management system is to To complete the sentence with the best word(s), click on the blank section you want to complete so that it is highlighted in red, and then click on the applicable text from the options below. Alternatively, you may drag and drop the option to the appropriate blank section.

正解：

Explanation:

According to ISO 27001:2013, clause 5.2, the top management of an organization must establish, implement and maintain an information security policy that is appropriate to the purpose of the organization and provides a framework for setting information security objectives. The information security policy must also include a commitment to comply with the applicable legal, regulatory and contractual requirements, as well as any other requirements that the organization subscribes to. Therefore, maintaining regulatory compliance is part of fulfilling the management system policy and ensuring its effectiveness and suitability. References:
ISO/IEC 27001:2013, Information technology - Security techniques - Information security management systems - Requirements, clause 5.2 PECB Candidate Handbook ISO 27001 Lead Auditor, page 10 ISO 27001 Policy: How to write it according to ISO 27001

質問 2：
Which two of the following are examples of audit methods that 'do not' involve human interaction?
A. Performing a review of auditees procedures in preparation for an audit
B. Confirming the date and time of the audit
C. Observing work performed by remote surveillance
D. Analysing data by remotely accessing the auditee's server
E. Reviewing the auditee's response to an audit finding
F. Conducting an interview using a teleconferencing platform
正解：A,D
解説: (Topexam メンバーにのみ表示されます)

質問 3：
Which two of the following options do not participate in a first-party audit?
A. A certification body auditor
B. An auditor trained in the organization
C. An auditor from a consultancy organisation
D. An audit team from an accreditation body
E. An auditor trained in the CQI and IRCA scheme
F. An auditor certified by CQI and IRCA
正解：A,D
解説: (Topexam メンバーにのみ表示されます)

質問 4：
You are conducting an ISMS audit in the despatch department of an international logistics organisation that provides shipping services to large organisations including local hospitals and government offices. Parcels typically contain pharmaceutical products, biological samples, and documents such as passports and driving licences. You note that the company records show a very large number of returned items with causes including mis-addressed labels and, in 15% of company cases, two or more labels for different addresses for the one package. You are interviewing the Shipping Manager (SM).
You: Are items checked before being dispatched?
SH: Any obviously damaged items are removed by the duty staff before being dispatched, but the small profit margin makes it uneconomic to implement a formal checking process.
You: What action is taken when items are returned?
SM: Most of these contracts are relatively low value, therefore it has been decided that it is easier and more convenient to simply reprint the label and re-send individual parcels than it is to implement an investigation.
You raise a nonconformity. Referencing the scenario, which six of the following Appendix A controls would you expect the auditee to have implemented when you conduct the follow-up audit?
A. 5.11 Return of assets
B. 5.6 Contact with special interest groups
C. 6.3 Information security awareness, education, and training
D. 7.10 Storage media
E. 8.3 Information access restriction
F. 6.4 Disciplinary process
G. 5.13 Labelling of information
H. 5.32 Intellectual property rights
I. 8.12 Data leakage protection
J. 7.4 Physical security monitoring
K. 5.3 Segregation of duties
正解：C,D,E,G,I,J
解説: (Topexam メンバーにのみ表示されます)

質問 5：
Auditors need to communicate effectively with auditees. Therefore, their personal behaviour is a key characteristic needed to ensure a successful audit. Below there are the characteristics and a brief related description. Match the characteristics to the descriptions.

正解：

Explanation:
The possible matches of the characteristics to the descriptions are:
Tenacious: Persistent and focused on objectives
Ethical: Fair, truthful, sincere, honest, discreet
Diplomatic: Tactful in dealing with individuals
Observant: Actively observing surroundings/activities
Perceptive: Aware of and able to understand situations
Open to improvement: Willing to learn from situations
Actively observing surroundings/activities = Observant
Fair, truthful, sincere, honest, discreet = Ethical
Persistent and focused on objectives = Tenacious
Willing to learn from situations = Open to improvement
Tactful in dealing with individuals = Diplomatic
Aware of and able to understand situations = Perceptive
These are the auditor's characteristics and their descriptions as defined by ISO 19011:2022, Clause 7.2.21. The auditor's personal behaviour is essential for building trust and confidence with the auditee and for ensuring the credibility and effectiveness of the audit12. References: 1: ISO 19011:2022, Guidelines for auditing management systems, Clause 7.2.2 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 3: Fundamental audit concepts and principles

質問 6：
What is the standard definition of ISMS?
A. A project-based approach to achieve business objectives for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security
B. A company wide business objectives to achieve information security awareness for establishing, implementing, operating, monitoring, reviewing, maintaining and improving
C. Is an information security systematic approach to achieve business objectives for implementation, establishing, reviewing,operating and maintaining organization's reputation.
D. A systematic approach for establishing, implementing, operating,monitoring, reviewing, maintaining and improving an organization's information security to achieve business objectives.
正解：D
解説: (Topexam メンバーにのみ表示されます)

質問 7：
You are carrying out a third-party surveillance audit of a client's ISMS. You are currently in the secure storage area of the data centre where the organisation's customers are able to temporarily locate equipment coming into or going out of the site. The equipment is contained within locked cabinets and each cabinet is allocated to a single, specific client.
Out of the corner of your eye you spot movement near the external door of the storage area. This is followed by a loud noise. You ask the guide what is going on. They tell you that recent high rainfall has raised local river levels and caused an infestation of rats. The noise was a specialist pest control stunning device being triggered. You check the device in the corner and find there is a large immobile rat contained within it.
What three actions would be appropriate to take next?
A. Assist the guide in humanely disposing of the rat and reset the device
B. Determine whether the high levels of rainfall have had other impacts on data centre operations e.g.
damage to infrastructure, access issues for clients, invocation of business continuity arrangements
C. Investigate whether pest infestation is an identified risk and if so, what risk treatment is to be applied
D. Raise a nonconformity against control 7.2 Physical Entry
E. Check with the guide that they intend to initiate the organisation's information security incident process
F. Inspect the client cabinets for signs of rodent ingress and record your findings as audit evidence
G. Raise a nonconformity against control 7.4 Physical Security monitoring
H. Take no further action. This is an ISMS audit, not an environmental management system audit
正解：B,C,E
解説: (Topexam メンバーにのみ表示されます)

質問 8：
Which two of the following phrases are 'objectives' in relation to a first-party audit?
A. Apply Regulatory requirements
B. Complete the audit on time
C. Apply international standards
D. Confirm the scope of the management system is accurate
E. Update the management policy
F. Prepare the audit report for the certification body
正解：D,E
解説: (Topexam メンバーにのみ表示されます)