合格させるISO ISOIEC20000LI試験最速合格 [Q20-Q40]

Share

合格させるISO ISOIEC20000LI試験最速合格

準備ISOIEC20000LI問題解答でISOIEC20000LI試験問題集

質問 # 20
Which situation described in scenario 7 Indicates that Texas H&H Inc. implemented a detective control?

  • A. Texas H&H Inc. tested its system for malicious activity and checked cloud based email settings
  • B. Texas H&H Inc. integrated the incident management policy in Its information security policy
  • C. Texas H&H Inc. hired an expert to conduct a forensic analysis

正解:C


質問 # 21
Scenario 7: InfoSec is a multinational corporation headquartered in Boston, MA, which provides professional electronics, gaming, and entertainment services. After facing numerous information security incidents, InfoSec has decided to establish teams and implement measures to prevent potential incidents in the future Emma, Bob. and Anna were hired as the new members of InfoSec's information security team, which consists of a security architecture team, an incident response team (IRT) and a forensics team Emma's job is to create information security plans, policies, protocols, and training to prepare InfoSec to respond to incidents effectively Emma and Bob would be full-time employees of InfoSec, whereas Anna was contracted as an external consultant.
Bob, a network expert, will deploy a screened subnet network architecture This architecture will isolate the demilitarized zone (OMZ) to which hosted public services are attached and InfoSec's publicly accessible resources from their private network Thus, InfoSec will be able to block potential attackers from causing unwanted events inside the company's network. Bob is also responsible for ensuring that a thorough evaluation of the nature of an unexpected event is conducted, including the details on how the event happened and what or whom it might affect.
Anna will create records of the data, reviews, analysis, and reports in order to keep evidence for the purpose of disciplinary and legal action, and use them to prevent future incidents. To do the work accordingly, she should be aware of the company's information security incident management policy beforehand Among others, this policy specifies the type of records to be created, the place where they should be kept, and the format and content that specific record types should have.
Based on scenario 7. InfoSec contracted Anna as an external consultant. Based on her tasks, is this action compliant with ISO/IEC 27001°

  • A. Yes, forensic investigation may be conducted internally or by using external consultants
  • B. Yes, organizations must use external consultants for forensic investigation, as required by the standard
  • C. No, the skills of incident response or forensic analysis shall be developed internally

正解:A

解説:
According to ISO/IEC 27001:2022, clause 8.2.3, the organization shall establish and maintain an incident response process that includes the following activities:
* a) planning and preparing for incident response, including defining roles and responsibilities, establishing communication channels, and providing training and awareness;
* b) detecting and reporting information security events and weaknesses;
* c) assessing and deciding on information security incidents;
* d) responding to information security incidents according to predefined procedures;
* e) learning from information security incidents, including identifying root causes, taking corrective actions, and improving the incident response process;
* f) collecting evidence, where applicable.
The standard does not specify whether the incident response process should be performed internally or externally, as long as the organization ensures that the process is effective and meets the information security objectives. Therefore, the organization may decide to use external consultants for forensic investigation, as long as they comply with the organization's policies and procedures, and protect the confidentiality, integrity, and availability of the information involved.
References: ISO/IEC 27001:2022, clause 8.2.3; PECB ISO/IEC 27001 Lead Implementer Study Guide, section 8.2.3.


質問 # 22
Scenario 8: SunDee is an American biopharmaceutical company, headquartered in California, the US. It specializes in developing novel human therapeutics, with a focus on cardiovascular diseases, oncology, bone health, and inflammation. The company has had an information security management system(ISMS) based on SO/IEC 27001 in place for the past two years. However, it has not monitored or measured the performance and effectiveness of its ISMS and conducted management reviews regularly Just before the recertification audit, the company decided to conduct an internal audit. It also asked most of their staff to compile the written individual reports of the past two years for their departments. This left the Production Department with less than the optimum workforce, which decreased the company's stock.
Tessa was SunDee's internal auditor. With multiple reports written by 50 different employees, the internal audit process took much longer than planned, was very inconsistent, and had no qualitative measures whatsoever Tessa concluded that SunDee must evaluate the performance of the ISMS adequately. She defined SunDee's negligence of ISMS performance evaluation as a major nonconformity, so she wrote a nonconformity report including the description of the nonconformity, the audit findings, and recommendations. Additionally, Tessa created a new plan which would enable SunDee to resolve these issues and presented it to the top management Based on scenario 8. did the nonconformity report include all the necessary aspects?

  • A. Yes, the report included all the necessary aspects
  • B. No, the report must also specify the audit criteria
  • C. No, the report must also specify the root cause of the nonconformity

正解:C

解説:
According to ISO/IEC 27001:2022, a nonconformity report is a document that records the details of any deviation from the audit criteria that is identified during an audit2. The audit criteria are the set of policies, procedures, requirements, or specifications that are used as a reference against which audit evidence is compared3. Therefore, a nonconformity report must include the following aspects:
* The description of the nonconformity, which should clearly state what the deviation is, where it occurred, and when it was detected
* The audit findings, which should provide the objective evidence that supports the identification of the nonconformity
* The audit criteria, which should specify the reference document or standard that the nonconformity deviates from
* The recommendations, which should suggest the possible corrective actions or improvements that can be taken to address the nonconformity In scenario 8, Tessa's nonconformity report included the description of the nonconformity, the audit findings, and the recommendations, but it did not specify the audit criteria. Therefore, the report did not include all the necessary aspects and was incomplete.
References:
* 1: ISO/IEC 27001:2022, Clause 9.2.3
* 2: ISO/IEC 27001:2022, Clause 3.23
* 3: ISO/IEC 27001:2022, Clause 3.5
* : ISO/IEC 27001:2022, Annex A.9.2.3


質問 # 23
What is the most important asset to Socket Inc. associated with the use of cloud storage? Refer to scenario 5.

  • A. IT provided network drives
  • B. Customers' personal data
  • C. Employees with access to cloud storage files

正解:B


質問 # 24
The purpose of control 5.9 inventory of Information and other associated assets of ISO/IEC 27001 is to identify organization's information and other associated assets in order to preserve their information security and assign ownership. Which of the following actions docs NOT fulfill this purpose?

  • A. Assigning the responsibility for appropriately classifying and protecting information and other associated assets to the asset owners
  • B. Conducting regular reviews of identified information and other associated assets
  • C. Establishing rules to control physical and logical access to Information and other associated assets

正解:C


質問 # 25
An organization that has an ISMS in place conducts management reviews at planned intervals, but does not retain documented information on the results. Is this in accordance with the requirements of ISO/IEC 27001?

  • A. Yes. ISO/IEC 27001 requires organizations to document the results of management reviews only if they are conducted ad hoc
  • B. Yes. ISO/IEC 27001 does not require organizations to document the results of management reviews
  • C. No, ISO/IEC 27001 requires organizations to document the results of management reviews

正解:C

解説:
According to ISO/IEC 27001:2022, clause 9.3.3, the organization must retain documented information as evidence of the results of management reviews. The results of management reviews must includedecisions and actions related to the ISMS policy, objectives, risks, opportunities, resources, and communication.
Documenting the results of management reviews is important to ensure the accountability, traceability, and effectiveness of the ISMS. It also helps the organization to monitor and measure the performance and improvement of the ISMS, and to demonstrate compliance with the requirements of ISO/IEC 27001:2022.
Therefore, an organization that has an ISMS in place and conducts management reviews at planned intervals, but does not retain documented information on the results, is not in accordance with the requirements of ISO
/IEC 27001. (From the PECB ISO/IEC 27001 Lead Implementer Course Manual, page 107) References:
* PECB ISO/IEC 27001 Lead Implementer Course Manual, page 107
* PECB ISO/IEC 27001 Lead Implementer Info Kit, page 7
* ISO/IEC 27001:2022 (en), Information security, cybersecurity and privacy protection - Information security management systems - Requirements, clause 9.3.3 1


質問 # 26
Who should verily the effectiveness of the corrective actions taken by the auditee after an internal audit?

  • A. The internal auditor
  • B. An Independent auditor should be contracted to perform this evaluation
  • C. The information security manager

正解:A


質問 # 27
Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope.
The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
Based on the scenario above, answer the following question:
What led Operaze to implement the ISMS?

  • A. Identification of assets
  • B. Identification of threats
  • C. Identification of vulnerabilities

正解:C

解説:
According to the scenario, Operaze conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration testing and code review, the company identified some issues in its ICT systems, such as improper user permissions, misconfigured security settings, and insecure network configurations. These issues are examples of vulnerabilities, which are weaknesses or gaps in the protection of an asset that can be exploited by a threat.
Therefore, the identification of vulnerabilities led Operaze to implement the ISMS.
References:
* ISO/IEC 27001:2022 Lead Implementer Training Course Guide1
* ISO/IEC 27001:2022 Lead Implementer Info Kit2


質問 # 28
FinanceX, a well-known financial institution, uses an online banking platform that enables clients to easily and securely access their bank accounts. To log in, clients are required to enter the one-lime authorization code sent to their smartphone. What can be concluded from this scenario?

  • A. FinanceX has incorrectly implemented a security control that could become a vulnerability
  • B. FinanceX has implemented an integrity control that avoids the involuntary corruption of data
  • C. FinanceX has implemented a securityControl that ensures the confidentiality of information

正解:C

解説:
Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes. A security control is a measure that is put in place to protect the confidentiality, integrity, and availability of informationassets. In this scenario, FinanceX has implemented a security control that ensures the confidentiality of information by requiring clients to enter a one-time authorization code sent to their smartphone when they log in to their online banking platform. This control prevents unauthorized access to the clients' bank accounts and protects their sensitive information from being disclosed to third parties. The one-time authorization code is a form of two-factor authentication, which is a security technique that requires two pieces of evidence to verify the identity of a user. In this case, the two factors are something the user knows (their username and password) and something the user has (their smartphone). Two-factor authentication is a recommended security control for online banking platforms, as it provides a higher level of security than single-factor authentication, which relies only on one piece of evidence, such as a password.
References: ISO/IEC 27001:2022 Lead Implementer Course Content, Module 5: Introduction to Information Security Controls based on ISO/IEC 27001:20221; ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection, Clause 3.6: Confidentiality2; ISO/IEC 27002:2022 Code of practice for information security controls, Clause 9.4: Access control3


質問 # 29
An organization uses Platform as a Services (PaaS) to host its cloud-based services As such, the cloud provider manages most off the services to the organization. However, the organization still manages____________________

  • A. Servers and storage
  • B. Operating system and visualization
  • C. Application and data

正解:C


質問 # 30
Which of the following is the information security committee responsible for?

  • A. Treat the nonconformities
  • B. Set annual objectives and the ISMS strategy
  • C. Ensure smooth running of the ISMS

正解:B


質問 # 31
Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information.
Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out- of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.
Based on the scenario above, answer the following question:
After investigating the incident. Beauty decided to install a new anti-malware software. What type of security control has been implemented in this case?

  • A. Corrective
  • B. Detective
  • C. Preventive

正解:C

解説:
In the scenario described, Beauty's decision to install new anti-malware software after a security incident is aPreventivecontrol. This type of control is aimed at preventing future security incidents by removing malicious code and protecting against malware infections. The purpose of the new anti-malware software is to proactively protect the company's systems and data from potential threats, thus it falls under the category of preventive measures.
References:
* ISO/IEC 27001:2022 Lead Implementer Course Guide1
* ISO/IEC 27001:2022 Lead Implementer Info Kit2
* ISO/IEC 27001:2022 Information Security Management Systems - Requirements3
* ISO/IEC 27002:2022 Code of Practice for Information Security Controls4
* What are Security Controls? | IBM3
* What Are Security Controls? - F54


質問 # 32
Scenario 7: InfoSec is a multinational corporation headquartered in Boston, MA, which provides professional electronics, gaming, and entertainment services. After facing numerous information security incidents, InfoSec has decided to establish teams and implement measures to prevent potential incidents in the future Emma, Bob. and Anna were hired as the new members of InfoSec's information security team, which consists of a security architecture team, an incident response team (IRT) and a forensics team Emma's job is to create information security plans, policies, protocols, and training to prepare InfoSec to respond to incidents effectively Emma and Bob would be full-time employees of InfoSec, whereas Anna was contracted as an external consultant.
Bob, a network expert, will deploy a screened subnet network architecture This architecture will isolate the demilitarized zone (OMZ) to which hosted public services are attached and InfoSec's publicly accessible resources from their private network Thus, InfoSec will be able to block potential attackers from causing unwanted events inside the company's network. Bob is also responsible for ensuring that a thorough evaluation of the nature of an unexpected event is conducted, including the details on how the event happened and what or whom it might affect.
Anna will create records of the data, reviews, analysis, and reports in order to keep evidence for the purpose of disciplinary and legal action, and use them to prevent future incidents. To do the work accordingly, she should be aware of the company's information security incident management policy beforehand Among others, this policy specifies the type of records to be created, the place where they should be kept, and the format and content that specific record types should have.
Why did InfoSec establish an IRT? Refer to scenario 7.

  • A. To collect, preserve, and analyze the information security incidents
  • B. To assess, respond to, and learn from information security incidents
  • C. To comply with the ISO/IEC 27001 requirements related to incident management

正解:B

解説:
Based on his tasks, Bob is part of the incident response team (IRT) of InfoSec. According to the ISO/IEC
27001:2022 standard, an IRT is a group of individuals who are responsible for responding to information security incidents in a timely and effective manner. The IRT should have the authority, skills, and resources to perform the following activities:
* Identify and analyze information security incidents and their impact
* Contain, eradicate, and recover from information security incidents
* Communicate with relevant stakeholders and authorities
* Document and report on information security incidents and their outcomes
* Review and improve the information security incident management process and controls Bob's job is to deploy a network architecture that can prevent potential attackers from accessing InfoSec's private network, and to conduct a thorough evaluation of the nature and impact of any unexpected events that might occur. These tasks are aligned with the objectives and responsibilities of an IRT, as defined by the ISO
/IEC 27001:2022 standard.
References:
* ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements, Clause 10.2, Information security incident management
* ISO/IEC 27035-1:2023, Information technology - Information security incident management - Part
1: Principles of incident management
* ISO/IEC 27035-2:2023, Information technology - Information security incident management - Part
2: Guidelines to plan and prepare for incident response
* PECB, ISO/IEC 27001 Lead Implementer Course, Module 10, Information security incident management


質問 # 33
Org Y. a well-known bank, uses an online banking platform that enables clients to easily and securely access their bank accounts.
To log in. clients are required to enter the one-time authorization code sent to their smartphone.
What can be concluded from this scenario?

  • A. Org Y has implemented a security control that ensures the confidentiality of information
  • B. Org Y has implemented an integrity control that avoids the involuntary corruption of data
  • C. Org Y has incorrectly implemented a security control that could become a vulnerability

正解:A


質問 # 34
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management
[^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted Based on scenario 4, the fact that TradeB defined the level of risk based on three nonnumerical categories indicates that;

  • A. The level of risk will be evaluated using quantitative analysis
  • B. The level of risk will be defined using a formula
  • C. The level of risk will be evaluated against qualitative criteria

正解:C

解説:
Qualitative risk assessment is a method of evaluating risks based on nonnumerical categories, such as low, medium, and high. It is often used when there is not enough data or resources to perform a quantitative risk assessment, which involves numerical values and calculations. Qualitative risk assessment relies on the subjective judgment and experience of the risk assessors, and it can be influenced by various factors, such as the context, the stakeholders, and the criteria. According to ISO/IEC 27001:2022, Annex A, control A.8.2.1 states: "The organization shall define and apply an information security risk assessment process that: ... d) identifies the risk owners; e) analyses the risks: i) assesses the consequences that would result if the risks identified were to materialize; ii) assesses the realistic likelihood of the occurrence of the risks; f) identifies and evaluates options for the treatment of risks; g) determines the levels of residual risk and whether these are acceptable; and h) identifies the risk owners for the residual risks." Therefore, TradeB's decision to define the level of risk based on three nonnumerical categories indicates that they used a qualitative risk assessment process.
References:
* ISO/IEC 27001:2022, Annex A, control A.8.2.1
* PECB ISO/IEC 27001 Lead Implementer Course, Module 7, slides 12-13


質問 # 35
What risk treatment option has Company A Implemented If it has decided not to collect information from users so that It is not necessary to implement information security controls?

  • A. Risk avoidance
  • B. Risk retention
  • C. Risk modification

正解:A


質問 # 36
Del&Co has decided to improve their staff-related controls to prevent incidents. Which of the following is NOT a preventive control related to the Del&Co's staff?

  • A. Video cameras
  • B. Control of physical access to the equipment
  • C. Authentication and authorization

正解:A

解説:
According to ISO/IEC 27001:2022, Annex A.7, the objective of human resource security is to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered, and to reduce the risk of human error, theft, fraud, or misuse of facilities. The standard specifies eight controls in this domain, which are:
* A.7.1 Prior to employment: This control covers the screening, terms and conditions, and roles and responsibilities of employees and contractors before they are hired.
* A.7.2 During employment: This control covers the awareness, education, and training, disciplinary process, and management responsibilities of employees and contractors during their employment.
* A.7.3 Termination and change of employment: This control covers the return of assets, removal of access rights, and exit interviews of employees and contractors when they leave or change their roles.
The other controls in Annex A are related to other aspects of information security, such as organizational, physical, and technological controls. For example:
* A.9.2 User access management: This control covers the authentication and authorization of users to access information systems and services, based on their roles and responsibilities.
* A.11.1 Secure areas: This control covers the control of physical access to the equipment and information assets, such as locks, alarms, guards, etc.
* A.13.2 Information transfer: This control covers the protection of information during its transfer, such as encryption, digital signatures, secure protocols, etc.
Therefore, video cameras are not a preventive control related to the staff, but rather a physical control related to the equipment and assets. Video cameras can be used to monitor and record the activities of the staff, but they cannot prevent them from causing incidents. They can only help to detect and investigate incidents after they occur.
References: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements, Annex A; PECB ISO/IEC 27001 Lead Implementer Course, Module 8: Implementation of Information Security Controls.


質問 # 37
Some of the issues being discussed in the awareness session were too technical for the participants. What does this situation indicate? Refer to scenario 6.

  • A. TradeB did not evaluate the competence of the trainer
  • B. Employees are equipped with information security expertise, therefore. they do not represent a potential risk
  • C. TradeB did not determine the type and level of competence needed

正解:C


質問 # 38
According to ISO/IEC 270G1. why shall organizations document nonconformities?

  • A. To provide evidence of the results of the corrective actions and the nature of the nonconformities
  • B. To provide evidence of the requirements set by internal audit after reviewing their audit reports
  • C. To provide evidence of regulations set by external sources that need to be followed by the organization

正解:A


質問 # 39
According to scenario 9, TroNlcon SPEC aimed to eliminate the causes of adverse events By focusing on:

  • A. Preventing information security incidents rather than correcting them
  • B. Correcting information security Incidents rather than preventing them
  • C. Detecting information security incidents rather than correcting them

正解:A


質問 # 40
......

リアルISO ISOIEC20000LI試験問題 [更新されたのは2025年]:https://www.jpntest.com/shiken/ISOIEC20000LI-mondaishu

無料ISOIEC20000LI試験問題集には合格させるお手軽に試験合格:https://drive.google.com/open?id=1wqnXtrDPdGl6RJqBpDAGPwOy0sUCPzAo

弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

オンラインサポート時間:( UTC+9 ) 9:00-24:00
月曜日から土曜日まで

サポート:現在連絡