PECB ISO-IEC-27001-Lead-Auditor-CN Daily Practice Exam New 2026 Updated 418 Questions
Use Valid ISO-IEC-27001-Lead-Auditor-CN Exam - Actual Exam Question & Answer
NEW QUESTION # 166
您是一位經驗豐富的 ISMS 審核團隊領導者。在進行第三方監督審核期間,您決定測試受審核方對 ISO/IEC 27001 風險管理要求的了解。
你問她一系列問題,答案要么是“那是真的”,要么是“那是假的”。她應該回答以下哪四項「這是真的」?
- A. 組織必須針對已識別的每個業務風險制定風險處理計劃
- B. 組織必須執行風險處理流程以消除其資訊安全風險
- C. 必須保留風險評估的結果
- D. 組織風險管理流程的初始階段應該是資訊安全風險評估
- E. 重大變化後應進行風險評估
- F. 應每月進行一次風險評估
- G. ISO/IEC 27001 提供了風險管理的概要方法
- H. 風險識別,用於確定資訊安全風險的嚴重程度
Answer: A,C,E,G
Explanation:
The following four statements are true according to ISO/IEC 27001's risk management requirements: 12
* The results of risk assessments must be maintained. This is true because clause 8.2.3 of ISO/IEC 27001:
2022 requires the organisation to retain documented information of the information security risk assessment process and the results12
* ISO/IEC 27001 provides an outline approach for the management of risk. This is true because clause
6.1.2 of ISO/IEC 27001:2022 specifies the general steps for the information security risk management process, which include establishing the risk criteria, assessing the risks, treating the risks, and monitoring and reviewing the risks12
* The organisation must produce a risk treatment plan for every business risk identified. This is true because clause 6.1.3 of ISO/IEC 27001:2022 requires the organisation to produce a risk treatment plan that defines the actions to be taken to address the unacceptable risks, the responsibilities, the expected dates, and the resources required12
* Risk assessments should be undertaken following significant changes. This is true because clause 8.2.4 of ISO/IEC 27001:2022 requires the organisation to review and update the risk assessment at planned intervals or when significant changes occur12 The following four statements are false according to ISO/IEC 27001's risk management requirements:
* Risk identification is used to determine the severity of an information security risk. This is false because risk identification is used to identify the assets, threats, vulnerabilities, and existing controls that are relevant to the information security risk management process. The severity of an information security risk is determined by the risk analysis, which evaluates the likelihood and impact of the risk scenarios12
* The organisation must operate a risk treatment process to eliminate its information security risks. This is false because the organisation can choose from four options to treat its information security risks:
avoid, transfer, mitigate, or accept. The organisation does not have to eliminate all its information security risks, but only those that are unacceptable according to its risk criteria12
* The initial phase in an organisation's risk management process should be information security risk assessment. This is false because the initial phase in an organisation's risk management process should be establishing the risk management framework, which includes defining the risk management policy, objectives, scope, roles, responsibilities, and criteria. The information security risk assessment is the second phase in the risk management process12
* Risks assessments should be undertaken at monthly intervals. This is false because there is no fixed frequency for conducting risk assessments in ISO/IEC 27001. The organisation should determine the appropriate intervals for reviewing and updating the risk assessment based on its risk appetite, risk profile, and operational context12 References:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
NEW QUESTION # 167
審核員能力是知識和技能的結合。下列哪兩項活動主要與「知識」相關?
- A. 決定如何向受審核方尋求證據
- B. 遵循偏離準備清單的審核追蹤
- C. 了解如何辨識發現結果
- D. 設計清單
- E. 決定要收集哪些證據
- F. 與受審核方溝通
Answer: D,E
Explanation:
Knowledge is the understanding of facts, concepts, principles, theories and practices related to a specific subject or discipline. Skills are the ability to apply knowledge and use know-how to complete tasks and solve problems. According to ISO 19011:2018, the knowledge and skills of an auditor include the following:
Knowledge of audit principles, procedures and methods
Knowledge of management system standards and reference documents
Knowledge of the organization's context, scope, processes and objectives Knowledge of relevant legal, regulatory and contractual requirements Knowledge of applicable industry, sector or technical disciplines Knowledge of risk management and risk-based thinking Skill in collecting and verifying information Skill in evaluating conformity and effectiveness of management systems Skill in reporting and communicating audit results Skill in managing audit activities and teams Based on this, the activities that are predominately related to knowledge are designing a checklist and determining what evidence to gather, as they require the auditor to understand the audit criteria, scope, objectives and methods, as well as the organization's context, processes and risks. The other activities are more related to skills, as they involve applying knowledge and using know-how to perform tasks and solve problems during the audit.
Reference:
ISO 19011:2018, Guidelines for auditing management systems, clauses 7.2.1, 7.2.2 and 7.2.3 PECB Candidate Handbook - ISO 27001 Lead Auditor, pages 9-10 and 16-17 ISO 9001 Auditing Practices Group Guidance on: Auditing Competence, pages 2-3 and 8
NEW QUESTION # 168
CEO發送一封電子郵件,表達他對公司現狀和公司未來策略的看法以及CEO的願景和員工在其中的角色。郵件應分類為
- A. 受限郵件
- B. 公共郵件
- C. 內部郵件
- D. 機密郵件
Answer: C
Explanation:
The mail sent by the CEO giving his views on the status of the company and the company's future strategy and the CEO's vision and the employee's part in it should be classified as internal mail. Internal mail is a type of classification that indicates that the information is intended for internal use only, and should not be disclosed to external parties without authorization. The mail sent by the CEO contains information that is relevant and important for the employees of the company, but may not be suitable for public disclosure, as it may contain sensitive or confidential information about the company's performance, goals, or plans. Reference: : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 34. : CQI & IRCA ISO 27001:2022 Lead Auditor Course Handbook, page 37. : [ISO/IEC 27001 LEAD AUDITOR - PECB], page 14.
NEW QUESTION # 169
下列哪一項關於資訊安全威脅和漏洞的敘述是不正確的?
- A. 無論相應的威脅為何,所有漏洞都需要立即實施控制
- B. 威脅必須利用漏洞對資訊的機密性、完整性和/或可用性產生負面影響
- C. 脆弱性可以是內在的,也可以是外在的,與資產的特徵或外在因素有關
Answer: A
Explanation:
Comprehensive and Detailed In-Depth
C . Incorrect Statement - Not all vulnerabilities require immediate remediation. Risk assessment determines whether controls are necessary. Some vulnerabilities pose low risks and may not need urgent fixes.
A . Correct Statement - Vulnerabilities can be intrinsic (inherent flaws) or extrinsic (caused by external misconfigurations).
B . Correct Statement - Threats must exploit vulnerabilities to cause harm.
This aligns with ISO/IEC 27001:2022 Annex A Control A.8.8 (Management of Technical Vulnerabilities).
NEW QUESTION # 170
哪一項最能描述保留與組織的資訊安全管理系統 (ISMS) 相關的記錄資訊的目的?
- A. 向第三方審核員展示客觀證據。
- B. 表示遵守法律要求。
- C. 在必要的範圍內,確信流程已按計劃進行。
- D. 確保所有工人都遵守既定程序。
Answer: C
Explanation:
The purpose of retaining documented information related to the ISMS of an organisation is to the extent necessary, to have confidence that the processes have been carried out as planned. This means that the documented information provides evidence of the conformity and effectiveness of the ISMS, as well as the achievement of the information security objectives and the continual improvement of the ISMS. Documented information also supports the analysis and evaluation of the ISMS performance and the identification of opportunities for improvement. References: = ISO/IEC 27001:2022, clause 7.5.1; PECB Candidate Handbook ISO 27001 Lead Auditor, page 17.
NEW QUESTION # 171
您是經驗豐富的 ISMS 審核團隊領導,指導審核員進行培訓。您決定透過詢問她一系列問題來測試她對後續審核的了解。這是您的問題和她的答案。
她正確回答了您的哪四個問題?
- A. 問:後續審核是否應該考慮商定的改進機會以及糾正措施?
年 - B. 問:後續審核的結果是否應該向負責最初識別 NC 審核的審核組組長報告?答:是的
- C. 問:如果需要,後續審核的結果是否可以成為另一次後續審核?答:是的
- D. 問:後續審核的結果是否該向審核客戶報告?答:沒有
- E. 問:後續審核是否應確保不合格問題得到有效解決?答:是的
- F. 問:後續審核的目的是驗證糾正、糾正措施和改進機會的完成嗎?答:是的
- G. 問:後續審核是否應該尋求發現新的不合格項?答:是的
- H. 問:所有審核都需要後續審核嗎?答:沒有
Answer: C,E,F,H
Explanation:
Based on the understanding of follow-up audits, especially in the context of Information Security Management Systems (ISMS) and the guidelines provided by ISO 19011:2018, here are the four questions from your list that the auditor in training has answered correctly:
B . Q: Should follow-up audits seek to ensure nonconformities have been effectively addressed? A: YES This is correct. The primary purpose of follow-up audits is to verify that nonconformities identified in previous audits have been effectively addressed and the corrective actions taken are suitable and effective.
D . Q: Is the purpose of a follow-up audit to verify the completion of corrections, corrective actions, and opportunities for improvement? A: YES Yes, the follow-up audit aims to verify the completion and effectiveness of corrections and corrective actions. It may also consider the implementation of opportunities for improvement identified during the initial audit.
E . Q: Are follow-up audits required for all audits? A: NO This is correct. Follow-up audits are not automatically required for all audits. They are typically conducted when nonconformities or other significant issues were identified in an earlier audit and there's a need to verify the implementation and effectiveness of the corrective actions.
H . Q: Could an outcome from a follow-up audit be another follow-up audit if required? A: YES Yes, this is a possible outcome. If the follow-up audit finds that the corrective actions have not been fully effective, or if new issues are identified, it may be necessary to conduct another follow-up audit.
The other responses provided by the auditor in training require some clarification or correction. For instance, while a follow-up audit primarily focuses on previously identified nonconformities and corrective actions, it can still identify new nonconformities if observed (A). Opportunities for improvement are generally considered in the scope of regular audits more so than in follow-up audits, which are more narrowly focused on corrective actions (C). Also, the outcomes of follow-up audits should typically be reported to both the audit team leader and the audit client (F and G), ensuring transparency and accountability.
The four questions that the auditor in training has answered correctly are B, D, E, and H.
These questions and answers are consistent with the definition and purpose of a follow-up audit as specified in ISO 19011:2018, Clause 6.712. A follow-up audit is conducted to verify the completion and effectiveness of corrective actions taken as a result of a previous audit (B, D). Follow-up audits are not mandatory for all audits, but they may be required by the audit program, the audit client, or other interested parties (E). The outcome of a follow-up audit may be another follow-up audit if the corrective actions are not satisfactory or not completed within the agreed time frame (H). The other questions and answers are either incorrect or irrelevant. A follow-up audit should not seek to identify new nonconformities, as this is not its objective (A). Follow-up audits should consider agreed opportunities for improvement as well as corrective actions, as they are both outputs of a previous audit . The outcome of a follow-up audit should be reported to the audit client, as well as to other relevant parties, such as the audit team leader who carried out the previous audit (F, G). Reference: 1: ISO 19011:2018, Guidelines for auditing management systems, Clause 6.7 \n2: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 6: Closing an ISO/IEC 27001 audit
NEW QUESTION # 172
情境 6
Sinvestment是一家提供多種保險方案的保險公司,包括房屋保險、商業保險和人壽保險。該公司最初成立於北加州,現已將業務拓展至歐洲和非洲等其他地區。除了業務成長之外,Sinvestment還致力於遵守其所在行業的相關法律法規,並防止任何資訊安全事件的發生。他們已實施基於ISO標準的資訊安全管理系統(ISMS)。
/IEC 27001,並已申請認證。
認證機構指派了一支審核團隊進行審核。審核團隊與Sinvestment簽署保密協議後,便開始了審核工作。第一階段審核的所有活動均在現場進行,但應Sinvestment的要求,對已存檔資訊的審查工作將以遠端方式進行。
審計團隊首先進行了第一階段審計,審查了所需文件,包括資訊安全管理系統(ISMS)範圍聲明、資訊安全策略和內部審計報告。已記錄資訊的評估主要基於其內容和管理流程。
此外,審計人員還發現,與資訊安全培訓和意識提升專案相關的文件不完整,缺乏關鍵細節。當被問及此事時,Sinvestment 的高階管理人員表示,該公司已為所有員工提供了資訊安全培訓課程。
第二階段審計在第一階段審計三週後進行。審計小組發現,行銷部(未包含在審計範圍內)沒有控制員工存取權限的程序。
由於控制員工存取權限是 ISO/IEC 27001 的要求之一,並且已納入公司的資訊安全政策,因此該問題被納入了審計報告。
問題
根據情境 6,審計團隊是否應該將市場部門存取權限控製程序中發現的缺陷納入審計報告?
- A. 不,應該只告知被審計單位的代表。
- B. 不,因為市場部門的活動不會對資訊安全管理系統構成潛在風險。
- C. 是的,審計報告必須包含所有審計結果。
Answer: C
Explanation:
It was appropriate for the audit team to include the observed deficiency in the audit report, making option A the correct answer. ISO/IEC 17021-1 and ISO 19011 require auditors to report all relevant findings that relate to conformity with the audit criteria, regardless of whether the affected department is formally listed within the audit scope. What matters is whether the issue relates to ISMS requirements or policies.
In this scenario, access rights control is explicitly included in Sinvestment's information security policy and is a core requirement of ISO/IEC 27001. The absence of access control procedures in the marketing department represents a weakness in the implementation of an ISMS requirement. Even though the marketing department was not part of the defined audit scope, the auditors became aware of a condition that could negatively affect the effectiveness of the ISMS as a whole.
Option B is incorrect because merely communicating the issue informally would undermine transparency and traceability. Audit reports must provide a complete and accurate record of findings. Option C is incorrect because marketing departments frequently handle personal data and sensitive information, particularly in an insurance context, and therefore clearly pose potential ISMS risks.
Auditors are required to report relevant findings objectively and without omission. Therefore, inclusion of the issue in the audit report was appropriate.
NEW QUESTION # 173
問題:
在涉及多個審計團隊的聯合審計中,每次審計通常會指定多少個審計團隊負責人?
- A. 每個審計團隊都指定自己的審計團隊負責人。
- B. 每次審計只有一個審計團隊負責人,無論涉及多少個審計團隊。
- C. 聯合審計中沒有指定的審計團隊負責人。
Answer: B
Explanation:
Comprehensive and Detailed In-Depth Explanation:
* A. Correct Answer:
* Joint audits involve multiple teams but require only one designated audit team leader to ensure:
* Consistent audit methodology
* Coordination among teams
* Unified reporting structure
* B. Incorrect:
* While each team may have a coordinator, there is only one main leader responsible for the audit.
* C. Incorrect:
* ISO 19011 mandates the presence of a designated audit team leader in all audits.
Relevant Standard Reference:
* ISO 19011:2018 Clause 5.5.5 (Assigning Responsibility to the Audit Team Leader)
NEW QUESTION # 174
您是一位經驗豐富的 ISMS 審核員,在一家提供 ICT 回收服務的組織中進行第三方監督審核。公司不再需要的ICT設備由組織處理。它要么被重新調試並重複使用,要么被安全地銷毀。
您注意到房間角落的長凳上有兩台伺服器。兩者的項目上都貼有伺服器名稱、IP 位址和管理員密碼的貼圖。您向 ICT 經理詢問這些物品,他告訴您這些物品是昨天從一位老客戶那裡收到的一批貨物的一部分。
您應該採取哪一項行動?
- A. 注意審核結果並檢查處理與客戶 IT 安全相關的進貨的流程
- B. 記錄您在審核結果中看到的內容,但不採取進一步行動
- C. 要求被審核方移除標籤,然後繼續審核
- D. 請 ICT 經理記錄資訊安全事件並啟動資訊安全事件管理流程
- E. 針對控制提出不符合項 5.31 法律、法規、監管和合約要求'
- F. 針對控制措施 8.20「網路安全」提出不符合項(應保護、管理和控製網路和網路設備,以保護系統和應用程式中的資訊)
Answer: A
Explanation:
According to ISO 27001:2022 clause 8.1.4, the organisation shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. This includes implementing appropriate contractual requirements related to information security with external providers, such as customers who send ICT equipment for reclamation12 In this case, the organisation offers ICT reclamation services, which involves processing customer ICT equipment that may contain sensitive or confidential information. The organisation should have a process in place to ensure that the customer ICT equipment is handled securely and in accordance with the customer's information security requirements. The process should include steps such as verifying the customer's identity and authorisation, checking the inventory and condition of the equipment, removing or destroying any labels or stickers that contain information about the equipment or the customer, wiping or erasing any data stored on the equipment, and documenting the actions taken and the results achieved12 The fact that the auditor noticed two servers on a bench with stickers that reveal the server's name, IP address and admin password indicates that the process for dealing with incoming shipments relating to customer IT security is not effective or not followed. This could pose a risk of unauthorised access, disclosure, or modification of the customer's information or systems. Therefore, the auditor should note the audit finding and check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:202212 The other actions are not appropriate for the following reasons:
* A. Asking the ICT Manager to record an information security incident and initiate the information security incident management process is not appropriate because this is not an information security incident that affects the organisation's own information or systems. An information security incident is defined as a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security12 In this case, the information security event affects the customer's information or systems, not the organisation's. Therefore, the organisation should follow the process for dealing with incoming shipments relating to customer IT security, not the process for information security incident management.
* C. Recording what the auditor has seen in the audit findings, but taking no further action is not appropriate because this would not address the root cause or the impact of the issue. The auditor has a responsibility to verify the effectiveness and compliance of the organisation's information security management system, and to report any nonconformities or opportunities for improvement12 Therefore, the auditor should check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:2022.
* D. Raising a nonconformity against control 5.31 Legal, statutory, regulatory and contractual requirements is not appropriate because this control is not relevant to the issue. Control 5.31 requires the organisation to identify and comply with the legal, statutory, regulatory and contractual requirements that are applicable to the information security management system12 In this case, the issue is not about the organisation's compliance with the legal, statutory, regulatory and contractual requirements, but about the organisation's control of the externally provided processes, products or services that are relevant to the information security management system. Therefore, the auditor should check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:2022.
* E. Raising a nonconformity against control 8.20 'network security' (networks and network devices shall be secured, managed and controlled to protect information in systems and applications) is not appropriate because this control is not relevant to the issue. Control 8.20 requires the organisation to secure, manage and control its own networks and network devices to protect the information in its systems and applications12 In this case, the issue is not about the organisation's network security, but about the organisation's control of the externally provided processes, products or services that are relevant to the information security management system. Therefore, the auditor should check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause 8.1.4 of ISO 27001:2022.
* F. Asking the auditee to remove the labels, then carry on with the audit is not appropriate because this would not address the root cause or the impact of the issue. The auditor should not interfere with the auditee's operations or suggest corrective actions during the audit, as this would compromise the auditor's objectivity and impartiality12 The auditor should check the process for dealing with incoming shipments relating to customer IT security, and determine whether there is a nonconformity with clause
8.1.4 of ISO 27001:2022.
References:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
NEW QUESTION # 175
在管理系統審核的背景下,請確定收集和驗證資訊的典型流程的順序。第一個已經為你完成了。
Answer:
Explanation:
NEW QUESTION # 176
選擇最能完成下面句子的字詞來描述審計資源:
Answer:
Explanation:
Explanation:
According to ISO 19011:2018, clause 5.3, the person responsible for managing the audit programme should determine the resources necessary for the audit programme, such as the audit team members, the budget, the time, the tools, etc. The audit resources should be sufficient and appropriate to ensure the quality and effectiveness of the audit programme and the audit results. The audit resources include the following elements12:
* Essential resources: These are the resources that are required to conduct the audit programme and the individual audits, such as the audit documents, the audit methods, the audit tools, the audit schedule, the audit budget, etc. The essential resources should be identified and allocated based on the audit objectives, scope, and criteria, and the availability and cooperation of the auditee. The essential resources should also be reviewed and updated as necessary to reflect any changes or deviations in the audit programme or the individual audits.
* Competent personnel: These are the audit team members who have the appropriate knowledge, skills, and experience to conduct the audit effectively and efficiently, and to provide credible and reliable audit results and recommendations. The competent personnel should include the audit team leader, the auditors, and any technical experts or observers who support the audit team. The competent personnel should be selected and appointed based on the audit objectives, scope, and criteria, and the specific competence requirements for the audit programme and the individual audits. The competent personnel should also be independent and impartial, and avoid any conflicts of interest or self-interest that may affect the audit results or the audit decisions.
References:
* ISO 19011:2018 - Guidelines for auditing management systems, clause 5.3
* PECB Candidate Handbook ISO 27001 Lead Auditor, page 19
NEW QUESTION # 177
您是一位經驗豐富的審核團隊領導,指導審核員進行培訓。接受培訓的審核員的任務是審查適用性聲明 (SoA) 中列出的並在現場實施的技術控制措施。
從以下內容中選擇您希望接受培訓的審核員審查的四項控制措施。
- A. 現場閉路電視和門禁系統的運行
- B. 資訊安全意識、教育與培訓
- C. 組織的業務連續性安排
- D. 保密與保密協議
- E. 供應商協定中如何解決資訊安全問題
- F. 組織如何評估其技術漏洞的暴露程度
- G. 如何實施針對惡意軟體的防護
- H. 電源線和資料線如何進入建築物
- I. 資訊資產清單的發展與維護
- J. 對人員進行驗證檢查
- K. 機構對資訊刪除的安排
- L. 進出裝載區的通道
- M. 在組織內部以及向其他組織傳輸訊息的規則
- N. 遠距工作安排
- O. 如何管理對原始程式碼和開發工具的訪問
- P. 組織對設備維護的安排
Answer: A,F,G,O
Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), an organization should select and implement appropriate controls to achieve its information security objectives1. The controls should be derived from the results of risk assessment and risk treatment, and should be consistent with the Statement of Applicability (SoA), which is a document that identifies the controls that are applicable and necessary for the ISMS1. The controls can be selected from various sources, such as ISO/IEC 27002:2013, which provides a code of practice for information security controls2. Therefore, if an auditor in training has been tasked with reviewing the technological controls listed in the SoA and implemented at the site of an organization that stores data on behalf of external clients, four controls that would be expected to review are:
* How protection against malware is implemented: This is a technological control that aims to prevent, detect and remove malicious software (such as viruses, worms, ransomware, etc.) that could compromise the confidentiality, integrity or availability of information or information systems2. This control is related to control A.12.2.1 of ISO/IEC 27002:20132.
* How the organisation evaluates its exposure to technical vulnerabilities: This is a technological control that aims to identify and assess the potential weaknesses or flaws in information systems or networks that could be exploited by malicious actors or cause accidental failures2. This control is related to control A.12.6.1 of ISO/IEC 27002:20132.
* How access to source code and development tools are managed: This is a technological control that aims to protect the intellectual property rights and integrity of software applications or systems that are developed or maintained by the organization or its external providers2. This control is related to control A:14.2.5 of ISO/IEC 27002:20132.
* The operation of the site CCTV and door control systems: This is a technological control that aims to monitor and restrict physical access to the premises or facilities where information or information systems are stored or processed2. This control is related to control A.11.1.4 of ISO/IEC 27002:20132.
The other options are not examples of technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training's task. For example, the development and maintenance of an information asset inventory (related to control A.
8.1.1), rules for transferring information within the organization and to other organizations (related to control A.13.2.1), confidentiality and nondisclosure agreements (related to control A.13.2.4), verification checks on personnel (related to control A.7.1.2), remote working arrangements (related to control A.6.2.1), information security within supplier agreements (related to control A.15.1.1), business continuity arrangements (related to control A.17), information deletion (related to control A.8.3), information security awareness, education and training (related to control A.7.2), equipment maintenance (related to control A.11.2), and how power and data cables enter the building (related to control A.11) are not technological controls, but rather organizational, legal or procedural controls that may also be relevant for an ISMS audit, but are not within the scope of the auditor in training's task. References: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, ISO/IEC 27002:2013 - Information technology - Security techniques - Code of practice for information security controls
NEW QUESTION # 178
您正在一家提供醫療保健服務的住宅療養院進行 ISMS 審核。審核計畫的下一步是驗證資訊安全事件管理流程。 IT 安全經理介紹了資訊安全事件管理程序,並解釋該流程基於 ISO/IEC 27035-1:2016。
您查看該文件並注意到一條聲明「任何資訊安全弱點、事件和事故應在識別後 1 小時內報告給聯絡人 (PoC)」。在訪問員工時,您發現大家對「弱點、事件、事件」意義的理解有差異。
您從事件追蹤系統中抽取過去 6 個月的事件報告記錄樣本,總結結果如下表所示。
您想進一步調查其他領域以收集更多審計證據。選擇兩個不會出現在您的審核追蹤中的選項。
- A. 收集更多證據,說明組織如何確定事件發生後無需採取進一步行動。 (與控制措施 A.5.26 相關)
- B. 收集更多關於公司如何以及何時支付贖金以解鎖公司手機和資料(即信用卡和銀行轉帳)的證據。 (與控制措施 A.5.26 相關)
- C. 收集更多有關事件恢復程序的證據。 (與控制措施 A.5.26 相關)
- D. 收集更多有關醫療保健監測服務要求的證據。 (與第4.2條相關)
- E. 收集有關人力資源經理如何以及何時支付贖金以解鎖個人行動資料(即信用卡和銀行轉帳)的更多證據。 (與控制措施 A.5.26 相關)
- F. 透過訪問更多員工了解他們對報告流程的理解來收集更多證據。
(與控制措施 A.6.8 相關) - G. 收集更多有關組織如何確定事件恢復時間的證據。 (與控制措施 A.5.27 相關)
Answer: B,D
Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 4.2 requires an organization to determine the needs and expectations of interested parties that are relevant to its ISMS1. This includes identifying the legal, regulatory, contractual and other requirements that apply to its information security activities1. Therefore, collecting more evidence on what the service requirements of healthcare monitoring are may not be relevant to verifying the information security incident management process, as it is not directly related to the audit objective or criteria. This option will not be in the audit trail.
NEW QUESTION # 179
場景 9:Techmanic 是一家比利時公司,成立於 1995 年,目前在布魯塞爾運作。它提供 IT 諮詢、軟體設計和硬體/軟體服務,包括部署和維護。該公司服務於公共服務、金融、電信、能源、醫療保健和教育等行業。作為一家以客戶為中心的公司,它優先考慮建立牢固的客戶關係並引領安全實踐。
Techmanic 已獲得 ISO/IEC 27001 認證一年,並對此認證感到自豪。在認證審核期間,審核員發現其 ISMS 實施上存在一些不一致之處。由於觀察到的情況並不影響其 ISMS 實現預期結果的能力,因此在審計師遠端跟進根本原因分析和糾正措施後,Techmanic 獲得了認證。的遵守情況。認識持續改進的價值並從過去的評估中學習。 Techmanic 實施了審查先前的監督審計報告的做法。這種積極主動的方法不僅有助於識別和解決潛在的不合格情況,而且還旨在簡化 IT 諮詢領域的重新認證流程。
監督審核期間,發現了多處不符合項。 ISMS 繼續滿足 ISO/IEC 27001*s 的要求,但根據內部稽核員的報告,Techmanic 未能解決與託管服務相關的不符合問題。此外,內部稽核報告存在多處不一致之處,這使人們對內部稽核師在託管服務審計過程中的獨立性產生了質疑。基於此,延期認證未獲核准。因此。 Techmanic 請求轉移到另一個認證機構。同時,該公司向客戶發布聲明稱,ISO/IEC 27001 認證涵蓋 IT 服務以及託管服務。
根據上述情景,回答以下問題:
下列哪一個選項是內部稽核程序不允許的?
- A. 減少人工審計任務
- B. 預防不合規
- C. 驗證糾正措施的有效性
Answer: B
Explanation:
Comprehensive and Detailed In-Depth
C . Correct answer:
Internal audits detect nonconformities but do not actively prevent them.
A . Incorrect:
Internal audits verify corrective actions.
B . Incorrect:
Technology can reduce manual tasks in internal audits.
Relevant Standard Reference:
NEW QUESTION # 180
問題
為驗證是否符合 ISO/IEC 27001 附錄 A 中關於日誌記錄的控制 8.15 條款,審核小組檢查了伺服器日誌樣本,以確定這些日誌是否可以被編輯或刪除。審核小組使用了哪種審核程序?
- A. 觀察
- B. 技術驗證
- C. 分析
Answer: B
Explanation:
The audit team used technical verification, making option B the correct answer. Technical verification involves examining technical configurations, system settings, or operational characteristics of information systems to verify whether controls are implemented and effective. In this scenario, the auditors examined server logs to determine whether they could be altered or deleted, which directly assesses the technical enforcement of logging controls.
ISO/IEC 27002:2022 control 8.15 requires organizations to ensure that logs are protected against unauthorized modification or deletion. Verifying this requirement cannot be achieved through interviews or documentation alone; it requires direct interaction with or inspection of the technical system.
Option A is incorrect because analysis refers to evaluating information, patterns, or results after evidence has been collected, not to the act of examining system configurations. Option C is incorrect because observation involves watching activities or processes being performed, such as monitoring staff behavior or physical security practices, not inspecting system-level controls.
Therefore, reviewing server logs for editability or deletion capability is a clear example of technical verification, which is an appropriate and necessary audit procedure for technological controls.
NEW QUESTION # 181
本組織擁有第三方認證機構核發的 ISO/IEC 27001 資訊安全管理系統 (ISMS) 認證。下列哪一項代表了擁有認可認證的優點?
- A. 客戶端數量增加
- B. 對認證過程可信度的認可。
- C. 組織產品的行銷價格上漲
- D. 審核報告的清晰度
Answer: B
Explanation:
One of the advantages of having accredited certification of ISMS to ISO/IEC 27001:2022 is that it demonstrates the recognition of the credibility of the certification process. Accredited certification means that the certification body has been assessed and approved by an accreditation body, which ensures that the certification body operates according to international standards and follows impartiality, competence and consistency principles. Accredited certification also enhances the confidence of the organisation's customers, partners, regulators and other interested parties in the organisation's information security performance and compliance. References: = ISO/IEC 27001:2022, clause 0.2; [PECB Candidate Handbook ISO 27001 Lead Auditor], page 6; Key Benefits of ISO 27001 Certification - IT Governance.
NEW QUESTION # 182
您是一位經驗豐富的 ISMS 審核團隊領導,為審核員提供培訓指導。他們對風險流程的理解不清楚,並要求您向他們提供下面詳細介紹的每個流程的範例。
將提供的每項描述與下列風險管理流程之一相符。
要填寫表格,請按一下要填寫的空白部分,使其以紅色突出顯示,然後從下面的選項中按一下適用的文字。或者,您可以將每個選項拖曳到適當的空白部分。
Answer:
Explanation:
Reference:
ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements ISO/IEC 27005:2022 Information technology - Security techniques - Information security risk management
NEW QUESTION # 183
情境 4
SendPay是一家金融服務公司,專注於透過代理商和機構網路提供全球匯款服務。作為市場新秀,SendPay致力於提供優質服務,其去年推出的免手續費數位平台讓客戶可以隨時隨地透過智慧型手機和筆記型電腦收發款項。當時,SendPay將軟體營運外包給外部團隊,該團隊也負責管理公司的技術基礎設施。
最近,該公司在實施資訊安全管理系統 (ISMS) 近一年後,申請了 ISO/IEC 27001 認證。
在審計過程中,審計人員重點審查了 SendPay 的外包業務,特別是外包公司負責的軟體開發和技術基礎設施維護。
他們採取了一套結構化的方法,其中包括審查和評估SendPay用於監控外包業務品質的流程。這包括核實該公司是否履行了合約義務,確保其在聘用外包實體方面擁有適當的管理程序,以及評估SendPay在預期或意外終止外包協議的情況下所採取的應對措施。
然而,審計人員委婉地指出,SendPay的協議並未充分考慮到外包協議意外取消的情況。此外,SendPay委派的技術專家協助審計人員,提供了與受審計外包業務相關的專業知識和經驗。
審計團隊計算了員工接受資訊安全管理系統 (ISMS) 培訓的小時數,以確保其符合既定目標。他們也基於審計期間抽取的樣本,計算了資訊安全事件的平均解決時間,從而深入了解了 SendPay 的事件管理實務。此外,審計人員還評估了審計期間收集的證據的可靠性。他們考慮了影響審計證據可靠性的多個因素。例如,與照片相比,監視錄影提供的證據更為客觀。時間因素也對可靠性起著至關重要的作用,交易記錄等機制可以增強證據的可信度。
SendPay 使用雲端平台來提高營運效率和可擴展性。然而,由於資源限制,審計人員在審計過程中並未要求 SendPay 提供其雲端活動清單,而是依賴 SendPay 的陳述。
問題
SendPay 的審計是否包含了外包營運審計的所有必要步驟?
- A. 不,因為審計團隊只專注於與監控外包營運品質相關的步驟。
- B. 不,審計忽略了關鍵步驟,例如審查終止計劃。
- C. 是的,審計審查了外包營運的各個方面。
Answer: B
Explanation:
The correct answer is B, because the audit did not fully address all necessary steps required for auditing outsourced operations under ISO/IEC 27001:2022. While the auditors reviewed several important aspects, including contractual obligations, governance arrangements, and quality monitoring processes, the scenario clearly states that SendPay's protocols did not fully address contingencies for unanticipated cancellations of outsourcing agreements. This represents a gap in the audit coverage.
ISO/IEC 27001:2022 requires organizations to ensure that information security requirements are addressed in supplier relationships throughout the entire lifecycle, including planning for termination. Annex A controls relating to supplier relationships require organizations to consider continuity, security responsibilities, and exit arrangements to protect information assets when outsourcing agreements end, whether expected or unexpected.
Although the auditors assessed monitoring mechanisms and contractual compliance, identifying that termination contingencies were not fully addressed indicates that this critical area was insufficiently covered.
Therefore, the audit did not include all necessary steps to fully evaluate outsourced operations. Option A is incorrect because the scenario explicitly identifies a missing element. Option C is incorrect because the audit went beyond quality monitoring and included governance, contractual obligations, and termination planning, even though that planning was incomplete.
Thus, the most accurate conclusion is that the audit overlooked crucial steps related to termination arrangements, making option B correct.
NEW QUESTION # 184
以下是資訊的定義,但以下情況除外:
- A. 成熟且可衡量的數據
- B. 可以促進理解並減少不確定性
- C. 用於特定目的的特定且有組織的數據
- D. 準確及時的數據
Answer: A
Explanation:
The definition of information that is not correct is C: mature and measurable data. This is not a valid definition of information, as information does not have to be mature or measurable to be considered as such. Information can be any data that has meaning or value for someone or something in a certain context. Information can be subjective, qualitative, incomplete or uncertain, depending on how it is interpreted or used. Mature and measurable data are characteristics that may apply to some types of information, but not all. The other definitions of information are correct, as they describe different aspects of information, such as accuracy and timeliness (A), specificity and organization (B), and understanding and uncertainty reduction (D). ISO/IEC 27001:2022 defines information as "any data that has meaning" (see clause 3.25). Reference: CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Information?
NEW QUESTION # 185
進行外部審核後,審核員決定內部審核員將追蹤糾正措施的實施情況,直到下一次監督審核。這是可以接受的嗎?
- A. 是的,內部稽核師可以追蹤糾正措施的實施情況,直到外部審計師在監督審計期間進行驗證為止
- B. 是的,如果外部稽核師無法完成,內部稽核師可以驗證糾正措施的實施情況
- C. 否,只有外部審核員應在審核完成後跟進糾正措施的實施情況
Answer: A
Explanation:
Yes, it is acceptable for the internal auditor to follow-up on the implementation of corrective actions until verified by the external auditor during the next surveillance audit. This practice supports continuous improvement and ensures that corrective actions are effectively implemented and maintained over time.
NEW QUESTION # 186
......
Test Engine to Practice ISO-IEC-27001-Lead-Auditor-CN Test Questions: https://www.passleader.top/PECB/ISO-IEC-27001-Lead-Auditor-CN-exam-braindumps.html
ISO-IEC-27001-Lead-Auditor-CN Real Exam Questions Test Engine Dumps Training With 418 Questions: https://drive.google.com/open?id=1e60PKTK6CcxaCQrR5UD17nTBdt98aEOd