免費PDF ISO-IEC-27001-Lead-Auditor最新考題以及資格考試的領先材料供應者和授權的ISO-IEC-27001-Lead-Auditor在線題庫我們NewDumps PECB的ISO-IEC-27001-Lead-Auditor考試的做法是最徹底的,以及最準確及時的最新的實踐檢驗,你會發現目前市場上的唯一可以有讓你第一次嘗試通過困難的信心。PECB的ISO-IEC-27001-Lead-Auditor考試認證在世界上任何一個國家將會得到承認,所有的國家將會一視同仁,NewDumps PECB的ISO-IEC-27001-Lead-Auditor認證證書不僅有助於提高你的知識和技能,也有助於你的職業生涯在不同的條件下多出一個可能性,我們NewDumps PECB的ISO-IEC-27001-Lead-Auditor考試認證合格使用。 最新的 ISO 27001 ISO-IEC-27001-Lead-Auditor 免費考試真題 (Q296-Q301):問題 #296
You are the audit team leader conducting a third-party audit of an online insurance organisation. During Stage
1, you found that the organisation took a very cautious risk approach and included all the information security controls in ISO/IEC 27001:2022 Appendix A in their Statement of Applicability.
During the Stage 2 audit, your audit team found that there was no evidence of the implementation of the three controls (5.3 Segregation of duties, 6.1 Screening, 7.12 Cabling security) shown in the extract from the Statement of Applicability. No risk treatment plan was found.
Select three options for the actions you would expect the auditee to take in response to a nonconformity against clause 6.1.3.e of ISO/IEC 27001:2022.
A. Undertake a survey of customers to find out if the controls are needed by them.
B. Implement the appropriate risk treatment for each of the applicable controls.
C. Revisit the risk assessment process relating to the three controls.
D. Remove the three controls from the Statement of Applicability.
E. Compile plans for the periodic assessment of the risks associated with the controls.
F. Incorporate written procedures for the controls into the organisation's Security Manual.
G. Allocate responsibility for producing evidence to prove to auditors that the controls are implemented.
H. Revise the relevant content in the Statement of Applicability to justify their exclusion.
答案:B,C,H
解題說明:
According to the PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, the auditee should take the following actions in response to a nonconformity against clause 6.1.3.e of ISO/IEC 27001:20221:
Implement the appropriate risk treatment for each of the applicable controls, as this is the main requirement of clause 6.1.3.e and the objective of the risk treatment process2.
Revise the relevant content in the Statement of Applicability to justify their exclusion, as this is the expected output of the risk treatment process and the evidence of the risk-based decisions3.
Revisit the risk assessment process relating to the three controls, as this is the input for the risk treatment process and the source of identifying the risks and the controls4.
The other options are not correct because:
Allocating responsibility for producing evidence to prove to auditors that the controls are implemented is not a valid action, as the audit team already found that there was no evidence of the implementation of the three controls.
Compiling plans for the periodic assessment of the risks associated with the controls is not a valid action, as this is part of the risk monitoring and review process, not the risk treatment process5.
Incorporating written procedures for the controls into the organisation's Security Manual is not a valid action, as this is part of the documentation and operation of the ISMS, not the risk treatment process.
Removing the three controls from the Statement of Applicability is not a valid action, as this is not a sufficient justification for their exclusion and does not reflect the risk treatment process.
Undertaking a survey of customers to find out if the controls are needed by them is not a valid action, as this is not a relevant criterion for the risk assessment and treatment process, which should be based on the organisation's own context and objectives.
References: 1: PECB Candidate Handbook for ISO/IEC 27001 Lead Auditor, page 36, section 4.5.22:
ISO/IEC 27001:2022, clause 6.1.3.e3: ISO/IEC 27001:2022, clause 6.1.3.f4: ISO/IEC 27001:2022, clause
6.1.25: ISO/IEC 27001:2022, clause 6.2. : ISO/IEC 27001:2022, clause 7.5 and 8. : ISO/IEC 27001:2022, clause 6.1.3.d. : ISO/IEC 27001:2022, clause 4.1 and 4.2.
問題 #297
A member of staff denies sending a particular message.
Which reliability aspect of information is in danger here?
A. integrity
B. availability
C. correctness
D. confidentiality
答案:A
解題說明:
Explanation
The reliability aspect of information that is in danger when a member of staff denies sending a particular message is integrity. Integrity implies that information is authentic and can be verified as such. If a member of staff denies sending a message, it means that either the message was forged or the sender is lying, both of which violate the integrity of the information. Availability, correctness and confidentiality are not directly affected by this scenario. ISO/IEC 27001:2022 defines integrity as "property of accuracy and completeness" (see clause 3.24). References: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Integrity?
問題 #298
Which two of the following phrases are 'objectives' in relation to a first-party audit?
A. Complete the audit on time
B. Prepare the audit report for the certification body
C. Update the management policy
D. Apply international standards
E. Apply Regulatory requirements
F. Confirm the scope of the management system is accurate
答案:C,F
解題說明:
Explanation
A first-party audit is an internal audit conducted by the organization itself or by an external party on its behalf. The objectives of a first-party audit are to: 12
* Confirm the scope of the management system is accurate, i.e., it covers all the processes, activities, locations, and functions that are relevant to the information security objectives and requirements of the organization.
* Update the management policy, i.e., review and revise the policy statement, roles and responsibilities, and objectives and targets of the information security management system (ISMS) based on the audit findings and feedback.
The other phrases are not objectives of a first-party audit, but rather:
* Apply international standards: This is a requirement for the ISMS, not an objective of the audit. The ISMS must conform to the ISO/IEC 27001 standard and any other applicable standards or regulations12
* Prepare the audit report for the certification body: This is an activity of a third-party audit, not a first-party audit. A third-party audit is an external audit conducted by an independent certification body to verify the conformity and effectiveness of the ISMS and to issue a certificate of compliance12
* Complete the audit on time: This is a performance indicator, not an objective of the audit. The audit
* should be completed within the planned time frame and budget, but this is not the primary purpose of the audit12
* Apply regulatory requirements: This is also a requirement for the ISMS, not an objective of the audit. The ISMS must comply with the legal and contractual obligations of the organization regarding information security12 References:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2
問題 #299
Scenario 7: Lawsy is a leading law firm with offices in New Jersey and New York City. It has over 50 attorneys offering sophisticated legal services to clients in business and commercial law, intellectual property, banking, and financial services. They believe they have a comfortable position in the market thanks to their commitment to implement information security best practices and remain up to date with technological developments.
Lawsy has implemented, evaluated, and conducted internal audits for an ISMS rigorously for two years now.
Now, they have applied for ISO/IEC 27001 certification to ISMA, a well-known and trusted certification body.
During stage 1 audit, the audit team reviewed all the ISMS documents created during the implementation.
They also reviewed and evaluated the records from management reviews and internal audits.
Lawsy submitted records of evidence that corrective actions on nonconformities were performed when necessary, so the audit team interviewed the internal auditor. The interview validated the adequacy and frequency of the internal audits by providing detailed insight into the internal audit plan and procedures.
The audit team continued with the verification of strategic documents, including the information security policy and risk evaluation criteria. During the information security policy review, the team noticed inconsistencies between the documented information describing governance framework (i.e., the information security policy) and the procedures.
Although the employees were allowed to take the laptops outside the workplace, Lawsy did not have procedures in place regarding the use of laptops in such cases. The policy only provided general information about the use of laptops. The company relied on employees' common knowledge to protect the confidentiality and integrity of information stored in the laptops. This issue was documented in the stage 1 audit report.
Upon completing stage 1 audit, the audit team leader prepared the audit plan, which addressed the audit objectives, scope, criteria, and procedures.
During stage 2 audit, the audit team interviewed the information security manager, who drafted the information security policy. He justified the Issue identified in stage 1 by stating that Lawsy conducts mandatory information security training and awareness sessions every three months.
Following the interview, the audit team examined 15 employee training records (out of 50) and concluded that Lawsy meets requirements of ISO/IEC 27001 related to training and awareness. To support this conclusion, they photocopied the examined employee training records.
Based on the scenario above, answer the following question:
Should the auditor archive the copies of employee training records after the completion of the audit? Refer to scenario 7.
A. Yes, copies of files are in the auditor's possession, as mentioned in the audit agreement
B. Yes, all the documented information generated during the audit should be kept as audit record
C. No, copies of files are not generally kept as audit records
答案:C
解題說明:
No, copies of files are not generally kept as audit records unless specifically required and agreed upon in the audit plan. Audit records typically include notes and observations made by auditors, not copies of the auditee's files, unless these are essential and explicitly allowed by the auditee.
References: ISO 19011:2018, Guidelines for auditing management systems
問題 #300
Select the words that best complete the sentence to describe an audit finding. 答案:
解題說明:
