
[2026年01月27日]ISO-IEC-42001-Lead-Auditor試験問題集で100%合格率ISO-IEC-42001-Lead-Auditor試験!
試験問題集リアルAI management system (AIMS)問題集200解答を試そう!
PECB ISO-IEC-42001-Lead-Auditor 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
| トピック 5 |
|
質問 # 109
What is one of the key objectives of conducting an audit according to ISO 19011?
- A. Evaluating the effectiveness of the management system
- B. Training employees on audit techniques
- C. Imposing penalties on non-compliant organizations
- D. Issuing certificates of compliance
正解:A
解説:
The primary objective of an audit, as defined in ISO 19011:2018 - Clause 5.1, is to evaluate the extent to which the management system conforms to planned arrangements and is effectively implemented and maintained.
Audits are not meant to issue certificates or impose penalties - they are tools for continual improvement
, helping organizations assess the performance and effectiveness of their systems.
This aligns with the purpose of internal audits described in ISO/IEC 42001:2023 - Clause 9.2, which is to verify the effectiveness of the AIMS (Artificial Intelligence Management System).
Reference: ISO 19011:2018 - Clause 5.1 (Objectives and benefits of audits) ISO/IEC 42001:2023 - Clause 9.2.1 (Internal Audit Objectives) PECB Lead Auditor Guide - Domain 3: "Purpose and Scope of Management System Audits"
質問 # 110
Question:
ReePharm, a pharmaceutical company, has decided to incorporate its AI risk management into the information security management system (ISMS) to identify and address risks related to the procurement, manufacturing, and distribution of pharmaceutical products. Is this decision appropriate?
- A. No, integrating AI risk management into other management systems would not meet ISO/IEC 42001 requirements
- B. No, merging AI risk management directly into the ISMS system creates unnecessary complexity without substantial improvements
- C. Yes, but only if performed after a surveillance audit
- D. Yes, integrating AI risk management into other management systems is acceptable
正解:D
解説:
ISO/IEC 42001 Clause 6.1 supportsintegration of AI-specific risk management into broader management systems, provided that AI-specific risks are addressed appropriately. Integration is allowed to improve efficiency without compromising the focus on AI risks.
Reference:ISO/IEC 42001:2023 Clause 6.1 (Risk Management in an Integrated Management System).
質問 # 111
An auditor is reviewing an AI system used for hiring processes at a tech company and discovers that the system disproportionately rejects candidates from certain ethnic backgrounds. The auditor previously consulted for this company on diversity strategies. Which management system auditing principle (as per ISO 19011) is at risk of being compromised in this scenario?
- A. Fair Presentation
- B. Independence
- C. Due Professional Care
- D. Confidentiality
正解:B
解説:
The principle at risk here isIndependence. According toISO 19011:2018 - Clause 4(c), auditors must be independent of the activity being auditedandfree from bias or conflicts of interest.
Having previously consulted for the company ondiversity strategies, the auditor has aprior engagement that may affect impartiality, particularly since the audit involves evaluating bias and fairness in hiring practices - the same area previously advised on.
ThePECB Lead Auditor Guide - Domain 3reinforces that independence is crucial forobjective evidence gathering and unbiased conclusions, especially in audits involvingethical or reputational concerns.
Reference: ISO 19011:2018 - Clause 4 (Principles of auditing), specifically Principle: "Independence" PECB Lead Auditor Guide - Domain 3: "Ethical Principles and Auditor Conduct"
質問 # 112
What does ISO 19011 provide?
- A. Requirements for bodies providing audit
- B. Fundamental principles of auditing
- C. Guidance for practitioners on AI management system
- D. Guidance for auditors on AI management system
正解:B
解説:
ISO 19011:2018providesfundamental principles and guidanceonauditing management systems, including:
* Principles of auditing
* Managing audit programs
* Conducting internal or external audits
* Evaluating the competence of auditors
While ISO/IEC 42001 is specific to AI Management Systems, ISO 19011 serves as auniversal audit frameworkthat applies toall types of management systems, including AI.
ThePECB Lead Auditor Guide - Domain 3highlights ISO 19011 as theprimary guidance document for auditing practices, emphasizing its relevance to auditing AIMS as well.
質問 # 113
What did the audit team use to assess the implementation of AI-related controls, verify compliance with established procedures, and identify any gaps in adherence to the AIMS requirements? Refer to Scenario 6
- A. Evidence collection analysis
- B. Observation checklist
- C. Evidence collection procedures
- D. Evidence collection tools
正解:D
解説:
In Scenario 6, it is clearly stated:
"They also used sampling and technical verification to assess the implementation of AI-related controls, verify compliance with established procedures, and identify any gaps in adherence to the AIMS requirements." Sampling and technical verification are considered evidence collection tools used during audits. These tools enable auditors to validate the effectiveness of implemented controls by selectively reviewing samples, performing walkthroughs, and technically verifying how AI systems function in real-life scenarios.
According to ISO 19011:2018, Clause 6.5.5, audit evidence may be obtained through tools such as:
* Interviews
* Observations
* Technical testing
* Sampling
* Documentation review
This confirms that the audit team used "evidence collection tools" - specifically sampling and technical verification - to perform their assessments.
Reference:
ISO 19011:2018, Clause 6.5.5 - Audit methods and tools
ISO/IEC 42001:2023, Clause 9.2 - Collection of objective evidence
PECB ISO/IEC 42001 Lead Auditor Study Guide - Section: Evidence Collection Tools in AI Audits
\===========
Certainly! Below are the responses to Questions 51 through 54 from Scenario 7, presented in your requested format, with verified explanations aligned with ISO/IEC 42001:2023, ISO/IEC 17021-1:2015, ISO 19011:
2018, and the PECB Lead Auditor Study Guide.
-
質問 # 114
Scenario 7 (continued):
Scenario 7: ICure, headquartered in Bratislava, is a medical institution known for its use of the latest technologies in medical practices. Ithas introduced groundbreaking Al-driven diagnostics and treatment planning tools that have fundamentally transformed patient care.
ICure has integrated a robust artificial intelligence management system AIMS to manage its Al systems effectively. This holisticmanagement framework ensures that ICure's Al applications are not only developed but also deployed and maintained to adhere to the highest industry standards, thereby enhancing efficiency and reliability.
ICure has initiated a comprehensive auditing process to validate its AIMS's effectiveness in alignment with ISO/IEC 42001. The stage 1audit involved an on-site evaluation by the audit team. The team evaluated the site-specific conditions, interacted with ICure's personnel, observed the deployed technologies, and reviewed the operations that support the AIMS. Following these observations, the findings weredocumented and communicated to ICure. setting the stage for subsequent actions.
Unforeseen delays and resource allocation issues introduced a significant gap between the completion of stage
1 and the onset of stage2 audits. This interval, while unplanned, provided an opportunity for reflection and preparation for upcoming challenges.
After four months, the audit team initiated the stage 2 audit. They evaluated AIMS's compliance with ISO
/IEC 42001 requirements, payingspecial attention to the complexity of processes and their documentation. It was during this phase that a critical observation was made:
ICure had not fully considered the complexity of its processes and their interactions whendetermining the extent of documentedinformation. Essential processes related to Al model training, validation, and deployment were not documented accurately, hinderingeffective control and management of these critical activities. This issue was recorded as a minor nonconformity, signaling a need forenhanced control and management of these vital activities.
Simultaneously, the auditor evaluated the appropriateness and effectiveness of the "AIMS Insight Strategy," a procedure developed by ICure to determine the AIMS internal and external challenges. This examination identified specific areas for improvement, particularly in the way stakeholder input was integrated into the system. It highlighted how this could significantly enhance the contribution of relevant parties in strengthening the system's resilience and effectiveness.
The audit team determined the audit findings by taking into consideration the requirements of ICure, the previous audit records and conclusions, the accuracy, sufficiency, and appropriateness of evidence, the extent to which planned audit activities are realized and planned results achieved, the sample size, and the categorization of the audit findings. The audit team decided to first record all the requirements met; then they proceeded to record the nonconformities.
Based on the scenario above, answer the following question:
Question:
Based on Scenario 7, for which of the following ISO/IEC 42001 clauses was the minor nonconformity issued?
- A. Clause 7.3 Awareness
- B. Clause 7.5 Documented information
- C. Clause 7.4 Communication
正解:B
解説:
The issue was thatessential AIMS processes (model training, validation, and deployment) were not properly documented- this falls under:
* ISO/IEC 42001:2023 Clause 7.5, which requires that "the organization shall ensure documented information is available, adequate, and properly controlled."
* The nonconformity was not about communication or awareness, but thelack of documentation, which is a direct violation of Clause 7.5.
Reference:ISO/IEC 42001:2023 Clause 7.5; Lead Auditor Manual Section 5 ("Document Control Requirements").
質問 # 115
During the audit planning phase, what is the primary activity an auditor should focus on?
- A. Conducting interviews with staff
- B. Preparing checklists and audit plans
- C. Issuing corrective actions
- D. Reviewing the final report
正解:B
解説:
During theaudit planning phase, the auditor's key responsibility is toprepare audit plans, checklists, and resource allocationsto ensure an effective and efficient audit.
According toISO 19011:2018 - Clause 6.4.1, planning includes preparing the audit plan, defining the audit schedule, and ensuring that required documents, tools, and team members are ready.
ThePECB Lead Auditor Guide - Domain 4further emphasizes preparing tailoredaudit checklistsbased on ISO/IEC 42001 clauses and relevant organizational processes.
質問 # 116
The top management of Alterhealth initially rejected the selected audit team leader because they had audited the company in the past, and thus would not bring added value for the auditee. Is this acceptable?
Scenario 5: Alterhealth is a mid-sized technology firm based in Toronto. Canada. It develops Al systems for healthcare providers, focusing on improving patient care, optimizing hospital workflows, and analyzing healthcare data for insights that can improve health outcomes.
To ensure responsible and effective use of Al in its
operations, Alterhealth has implemented an artificial intelligence management system AIMS based on ISO
/IEC 42001. After a year of having the AIMS in place, the
company decided to apply for a certification audit to obtain certification against ISO/IEC 42001.
The company contracted a certification body to conduct the audit, who assembled the audit team and appointed the audit team leader. The audit team leader had conducted a certification audit at Alterhealth in the past. The top management of Alterhealth decided to reject the appointment of this auditor because they believed that they would not receive added value from the audit. In response, the certification body appointed Jonathan, an independent auditor with no prior engagements with Alterhealth, as the new audit team leader. Jonathan's introduction marked the beginning of a collaborative process aimed at evaluating the conformity of the AIMS to ISO/IEC 42001 requirements.
The certification body determined the audit scope, which included only specific departments essential to the integration and application of Al, such as the Al Research, Machine Learning Applications, and Al Ethics and Compliance Departments, and did not cover all of the departments covered by the AIMS scope. Meanwhile, Alterhealth determined the audit time, setting the necessary time frame for planning and conducting a thorough and effective review to ensure all aspects of the AIMS within the selected departments were meticulously reviewed.
Afterward, Jonathan received a detailed offer from the certification body, outlining his role and including information related to the audit, such as the audit's duration, team members, their responsibilities, the limits to the audit engagement, and their salary compensation. With a clear mandate, Jonathan was tasked with a multitude of responsibilities: defining the audit objectives and criteria, planning the audit process, identifying and addressing audit risks, managing communication with Alterhealth, overseeing the audit team, and ensuring a smooth and conflict free execution.
With Jonathan's leadership and a well-defined audit framework in place, the certification audit proceeded with a structured and objective evaluation of Alterhealth's AIMS.
- A. No, the auditee does not have the authority to reject an auditor assigned by the certification body
- B. No, an auditor can only be rejected by the auditee if a conflict of interest is present
- C. Yes, if the auditor lacks knowledge of AI systems
- D. Yes, this is a valid reason for rejecting an auditor
正解:B
解説:
According to ISO/IEC 17021-1:2015 Clause 9.1.7, the auditee has the right to object to specific audit team members, but such objection must be supported by a valid justification such as a perceived conflict of interest or lack of competence.
Rejecting an auditor solely based on the claim that they will not "bring added value" does not meet this criterion. Unless a legitimate concern is raised - such as impartiality, bias, or conflict of interest - the certification body is under no obligation to change the auditor.
Reference:
ISO/IEC 17021-1:2015, Clause 9.1.7 - Audit team selection and auditee objection ISO 19011:2018, Clause 5.3 - Auditor competence and impartiality PECB ISO/IEC 42001 Lead Auditor Guide - Section: Responsibilities of Certification Bodies and Auditees
\===========
質問 # 117
Question:
Which of the following does NOT constitute an appropriate technology requirement for virtualaudits between the auditee and audit team?
- A. Conducting a trial run of the audit process using the selected technology
- B. Ensuring contingency plans are available and communicated
- C. Performing pre-audit technical assessments
正解:A
解説:
While helpful,a trial run of the full auditis not a standardrequirementfor virtual audits.
* ISO/IEC 17021-1:2015 Clause 9.2.3.1requires virtual audit feasibility to be confirmed in advance - including connectivity, security, and data access - buttrial runs are optional, not mandated.
* ISO 19011:2018 Clause 6.4.5adds that"pre-audit assessments and contingency planning must be conducted for remote audits to ensure audit reliability." Reference:ISO/IEC 17021-1:2015 Clause 9.2.3.1; ISO 19011:2018 Clause 6.4.5.
質問 # 118
What should audit findings that are nonconformities NOT be recorded as?
- A. Opportunities for improvement
- B. Corrective actions needed
- C. Nonfulfillment of a requirement
- D. Supporting evidence
正解:A
解説:
Audit findings classified as nonconformities represent a failure to fulfill a requirement and must not be recorded as mere opportunities for improvement (OFIs). Doing so would downplay the seriousness of the issue and could result in miscommunication of risk or oversight during corrective actions.
ISO 19011:2018, Clause 6.5.8, clearly distinguishes nonconformities from observations and improvement opportunities.
Reference:
ISO 19011:2018, Clause 6.5.8 - Audit Findings
PECB ISO/IEC 42001 Lead Auditor Guide - Chapter: Classification of Findings
\===========
質問 # 119
During the audit planning phase, what is the primary activity an auditor should focus on?
- A. Conducting interviews with staff
- B. Preparing checklists and audit plans
- C. Issuing corrective actions
- D. Reviewing the final report
正解:B
解説:
During theaudit planning phase, the auditor's key responsibility is toprepare audit plans, checklists, and resource allocationsto ensure an effective and efficient audit.
According toISO 19011:2018 - Clause 6.4.1, planning includes preparing the audit plan, defining the audit schedule, and ensuring that required documents, tools, and team members are ready.
ThePECB Lead Auditor Guide - Domain 4further emphasizes preparing tailoredaudit checklistsbased on ISO/IEC 42001 clauses and relevant organizational processes.
Reference: ISO 19011:2018 - Clause 6.4.1 (Planning the audit)
PECB Lead Auditor Guide - Domain 4: "Audit Planning Activities and Tools"
質問 # 120
Question:
Who is responsible for reviewing the corrections, identified causes, and corrective actions of the auditee?
- A. The certification body
- B. The audit team
- C. The internal auditor
正解:A
解説:
Thecertification bodyhas the ultimate responsibility forreviewing and verifyingcorrective actions after an audit.
* ISO/IEC 17021-1:2015 Clause 9.4.9states:"The certification body shall review the correction, cause analysis, and corrective actions proposed by the client."
* Although the audit team may assist, responsibility lies with the certification body for ensuring compliance before issuing or maintaining certification.
Reference:ISO/IEC 17021-1:2015 Clause 9.4.9; ISO/IEC 42001 Lead Auditor Guide Section 8 ("Post-Audit Responsibilities").
質問 # 121
Scenario 4: Finalogic leads the application of artificial intelligence in the financial services sector, which is used to improve risk assessment, fraud detection, and customer service. The company has implemented an artificial intelligence management system (AIMS) based on ISO/IEC 42001 to ensure operational quality, ethical AI use, regulatory compliance, and transparency, allowing for consistent oversight and structured governance.
This month, Finalogic is undergoing an audit to obtain certification against ISO/IEC 42001, a critical step in demonstrating its commitment to responsible AI. To evaluate Finalogic's conformity to the audit criteria, the audit team adopted a comprehensive, evidence-based approach. The gathered evidence ranged from analyses of unquantifiable information to analyses of samples related to determining the audit criteria-including internal reports generated by Finalogic's own AI system-which assert successful integration and compliance with the standard.
Additionally, presentations by the company's AI team during the audit highlighted the system's success in customer service enhancements and fraud detection, emphasizing improved efficiency, decision-making accuracy, and user trust. An evaluation report prepared by an independent third-party firm specializing in AI systems also provided an objective review of Finalogic's AIMS. It assessed the system's effectiveness, bias, and compliance through a thorough examination.
During the audit, the audit team applied the same level of effort and utilized the same techniques across all audit areas, regardless of their risk level. This strategy ensured a consistent and thorough evaluation of the AIMS, uncovering any latent weaknesses or inefficiencies that might otherwise go unnoticed.
Despite Finalogic's advanced AIMS and adherence to ISO/IEC 42001 for ethical AI practices, there remains a risk of AI algorithms inadvertently perpetuating bias or making inaccurate predictions due to unforeseen flaws in training data or algorithmic models. This could lead to unfair loan rejections or approvals, potentially causing financial losses or damaging the company's reputation for fairness and accuracy in its financial services. By acknowledging these risks, Finalogic remains committed to refining its AI governance, implementing bias mitigation strategies, and enhancing transparency to uphold its reputation as a leader in AI- driven financial services.
What type of audit is Finalogic undergoing?
- A. Second party
- B. Internal review
- C. Third party
- D. First party
正解:C
解説:
In the scenario, it is clearly stated that "Finalogic is undergoing an audit to obtain certification against ISO
/IEC 42001." Certification audits are conducted by external, independent organizations and are classified as third-party audits.
Definitions per ISO/IEC 17021 and ISO 19011 (referenced in ISO/IEC 42001):
* First-party audit: Internal audit conducted by or on behalf of the organization itself.
* Second-party audit: Conducted by parties having an interest in the organization, such as customers or regulators.
* Third-party audit: Conducted by an independent organization (certification body) for the purpose of certification or verification.
In this context, Finalogic is engaging with an external auditor for certification to ISO/IEC 42001, which is the defining feature of a third-party audit.
Reference:
ISO 19011:2018, Clause 3.13 - Types of audits
ISO/IEC 17021-1:2015 - Requirements for bodies providing audit and certification of management systems ISO/IEC 42001:2023, Clause 9.2 - Internal and external audit requirements PECB ISO/IEC 42001 Lead Auditor Study Guide - Chapter: Third-party Certification Process
\===========
Let me know when you're ready to proceed with Question No. 27.Question No. 27/80 Certainly! Below are the answers to Questions 27 to 30 from Scenario 4, each presented in the exact format you requested:
-
質問 # 122
What among the below list of steps comes before the other ones in the management system audit process?
- A. Initiating the audit
- B. Preparing the audit report
- C. Performing document review
- D. Conducting the opening meeting
正解:A
解説:
The first step in the audit process isInitiating the audit.
As perISO 19011:2018 - Clause 6.3, initiating the audit involves activities such asappointing the audit team
, defining theaudit scope and objectives, andcommunicating with the auditeeto set expectations.
After initiation, the auditor proceeds withdocument review, followed by theopening meeting, and then moves into audit execution and reporting.
Reference: ISO 19011:2018 - Clause 6.3 (Initiating the audit)
PECB Lead Auditor Guide - Domain 4: "Audit Lifecycle and Step-by-Step Process"
質問 # 123
Scenario 5 (continued):
Scenario 5: Aizoia, located in Washington, DC, has revolutionized data analytics, software development, and consulting by usingadvanced Al algorithms. Central to its success is an Al platform adept at deciphering complex datasets for enhanced insights. To ensure that its Al systems operate effectively and responsibly, Aizoia has established an artificial intelligence management system AIMS basedon ISO/IEC 42001 and is now undergoing a certification audit to verify the AIMS's effectiveness and compliance with ISO/IEC 42001.
Robert, one of the certification body's full-time employees with extensive experience in auditing, was appointed as the audit team leaderdespite not receiving an official offer for the role. Understanding the critical importance of assembling an audit team with diverse skills and knowledge, the certification body selected competent individuals to form the audit team. The certification body appointed a team ofseven members to conduct the audit after considering the specific conditions of the audit mission and the required competencies.
Initially, the certification body, in cooperation with Aizoia, defined the extent and boundaries of the audit, specifying the sites (whetherphysical or virtual), organizational units, and the activities for review. Once the scope, processes, methods, and team composition hadbeen defined, thecertification body provided the audit team leader with extensive information, including the audit objectives anddocumented details on the scope, processes, methods, and team compositions.
Additionally, the certification body shared contact details of the auditee, including locations, time frames, and the duration of the auditactivities to be conducted. The team leader also received information needed for evaluating and addressing identified risks andopportunities for the achievement of the audit objectives.
Before starting the audit, Robert wrote an engagement letter, introducing himself to Aizoia and outlining plans for scheduling initialcontact. The initial contact aimed to confirm thecommunication channels, establish the audit team's authority to conduct the audit, andsummarize the audit's key aspects, such as objectives, scope, criteria, methods, and team composition. During this first meeting, Robertemphasized the need for access to essential information that would help to conduct the audit.
Moreover, audit logistics, such as scheduling, access, health and safety arrangements, observer attendance, and the need for guides orinterpreters, were thoroughly planned. The meeting also addressed areas of interest or concern, preemptively resolving potential issuesand finalizing any matters related to the audit team composition.
As the audit progressed, Robert recognized the complexity of Aizoia's operations, leading him to conclude that a review of its Al-relateddata governance practices was essential for compliance with ISO/IEC 42001. He discussed this need with Aizoia's management,proposing an expanded audit scope. After careful consideration, they agreed to conduct a thorough review of the Al data governancepractices, but there was no mutual decision to officially change the audit scope. Consequently. Robert decided to proceed with the auditbased on the original scope, adhering to the initial audit plan, and documented the conversation and decision accordingly.
Based on the scenario above, answer the following question:
Question:
According to Scenario 5, was Robert's decision to proceed with the audit without changing its scope appropriate?
- A. Yes, because no agreement was reached to change the scope, and he documented the decision accordingly
- B. No, Robert must have withdrawn from the audit and informed the interested parties
- C. No, Robert should have opted to conduct a follow-up audit
正解:A
解説:
Robert acted correctly by proceedingwithout changing the scope, because no official agreement was made to modify it, and he documented the conversation properly.
* ISO/IEC 17021-1:2015 Clause 9.2.3.1specifies that"Audit scope can only be changed if formally agreed by both the auditee and the certification body."
* TheLead Auditor Guidesays:"If the auditee and auditor cannot agree to modify the audit scope, the original scope must remain valid, and deviations should be documented." Reference:ISO/IEC 17021-1:2015 Clause 9.2.3.1; ISO/IEC 42001:2023 Clause 9.2.
質問 # 124
Scenario 2 (continued):
Empsy HR Solutions is a human resources consulting company that provides innovative HR solutions to diverse industries. Recognizing the significant impact of artificial intelligence Al in HR processes, including its ability to automate repetitive tasks, analyze vast amounts of data for insights, improve recruitment and talent management strategies, and personalize employee experiences, the company has initiated the implementation of an artificial intelligence management system AIMS based on ISO/IEC 42001.
Initially, the top management established an Al policy that was aligned with the company's objectives. The Al policy provided a framework for defining Al objectives, a commitment to meeting relevant requirements, and a dedication to continually improve the AIMS. However, it did not refer to other organizational policies, although some were relevant to the AIMS. Afterward, the top management documented the policy, communicated it internally, and made it accessible to interested parties.
The top management designated specific individuals to ensure that the AIMS meets the standard's requirements. Additionally, they ensured that these individuals were responsible for overseeing the AIMS, reporting its performance to the top management, and facilitating continual improvement. Moreover, in its awareness sessions, the company focused exclusively on ensuring that all personnel were informed about the Al policy, emphasizing their role in ensuring the effectiveness of the AIMS and the benefits of enhanced Al performance.
The company also planned, implemented, and monitored processes to meet AIMS requirements. Additionally, it set clear criteria and implemented controls based on them, ensuring effective operation, alignment with organizational objectives, and continual improvement. Empsy HR Solutions decided to implement strict measures to control changes to documented information within the AIMS. To ensure the integrity and accuracy of documentation, the company adopted version control practices. Each document update was tracked using a versioning system, with clear records of what was modified, who made the changes, and when the updates occurred. Access to make changes was restricted to authorized personnel, and any proposed modifications required approval from the designated management team before being implemented.
Moreover, considering past experiences where the company encountered unforeseen risks, Empsy HR Solutions established a comprehensive Al risk assessment process. This process involved identifying, analyzing, and evaluating Al risks to determine if it is necessary to implement additional controls than those specified in Annex A. The company also referred to Annex B for guidance on implementing controls and, ultimately, produced a Statement of Applicability So A. The SoA contained the necessary controls, including all the controls of Annex A and justifications for their inclusion or exclusion.
Lastly. Empsy HR Solutions decided to establish an internal audit program to ensure the AIMS conforms to both the company's requirements and ISO/IEC 42001. It defined the audit objectives, criteria, and scope for each audit, selected auditors, and ensured objectivity and impartiality during the audit process. The results of the first audit were documented and reported only to the top management of the company.
Question:
Based on Scenario 2, was the awareness session conducted in accordance with the requirements of Clause 7.3 Awareness of ISO/IEC 42001?
- A. Yes, the awareness session informed employees about the AI policy and highlighted their role in ensuring the effectiveness of the AIMS
- B. Yes, because awareness sessions focus only on AI policy
- C. No, the awareness session should also explain the justification for the inclusion and the exclusion of Annex A controls
- D. No, the awareness session should also communicate the implications of not conforming to the AIMS requirements
正解:D
解説:
ISO/IEC 42001 Clause 7.3 requires that awareness training should not only inform employees about the AI policy and roles but also communicate the implications of nonconformance with AIMS requirements.
Since Empsy HR Solutions missed this, it is non-compliant.
Reference: ISO/IEC 42001:2023 Clause 7.3 (Awareness).
質問 # 125
Scenario: NeuraGen, founded by a team of AI experts and data scientists, has gained attention for its advanced use of artificial intelligence. It specializes in developing personalized learning platforms powered by AI algorithms. MindMeld, its innovative product, is an educational platform that uses machine learning and stands out by learning from both labeled and unlabeled data during its training process. This approach allows MindMeld to use a wide range of educational content and personalize learning experiences with exceptional accuracy. Furthermore, MindMeld employs an advanced AI system capable of handling a wide variety of tasks, consistently delivering a satisfactory level of performance. This approach improves the effectiveness of educational materials and adapts to different learners' needs.
NeuraGen skillfully handles data management and AI system development, particularly for MindMeld.
Initially, NeuraGen sources data from a diverse array of origins, examining patterns, relationships, trends, and anomalies. This data is then refined and formatted for compatibility with MindMeld, ensuring that any irrelevant or extraneous information is systematically eliminated. Following this, values are adjusted to a unified scale to facilitate mathematical comparability. A crucial step in this process is the rigorous removal of all personally identifiable information (PII) to protect individual privacy. Finally, the data is subjected to quality checks to assess its completeness, identify any potential bias, and evaluate other factors that could impact the platform's efficacy and reliability.
NeuraGen has implemented an advanced artificial intelligence management system (AIMS) based on ISO
/IEC 42001 to support its efforts in AI-driven education. This system provides a framework for managing the life cycle of AI projects, ensuring that development and deployment are guided by ethical standards and best practices.
NeuraGen's top management is key to running the AIMS effectively. Applying an international standard that specifically provides guidance for the highest level of company leadership on governing the effective use of AI, they embed ethical principles such as fairness, transparency, and accountability directly into their strategic operations and decision-making processes.
While the company excels in ensuring fairness, transparency, reliability, safety, and privacy in its AI applications, actively preventing bias, fostering a clear understanding of AI decisions, guaranteeing system dependability, and protecting user data, it struggles to clearly define who is responsible for the development, deployment, and outcomes of its AI systems. Consequently, it becomes difficult to determine responsibility when issues arise, which undermines trust and accountability, both critical for the integrity and success of AI initiatives.
Based on Scenario 1, which of the following processes did NeuraGen NOT conduct regarding data?
- A. Data annotation
- B. Data preparation
- C. Filtering
正解:A
解説:
According to the scenario, NeuraGen conducts several data preparation steps, such as:
"Refining and formatting data for compatibility" # this is data preparation.
"Systematically eliminating irrelevant or extraneous information" # this is filtering.
"Adjusting values to a unified scale" # this is part of normalization under data preparation.
"Removal of all personally identifiable information (PII)" # this is data privacy processing.
However, there is no mention of "data annotation," which refers to the process of labeling data-particularly relevant in supervised learning. Since the scenario describes semi-supervised learning (both labeled and unlabeled data), annotation might exist, but the company has not described it as a process they conduct themselves. Thus, annotation is the missing element.
Reference:
ISO/IEC 42001:2023, Clause 7.4 - Data and input management
ISO/IEC 22989:2022, Clause 3.7 - Definitions for annotation and labeling ISO/IEC TR 24028:2020 - Data preparation practices for trustworthy AI
質問 # 126
Scenario 3 (continued):
ArBank is a financial institution located in Brussels, Belgium, which offers a diverse range of banking and investment servicesto its clients. To ensure the continual improvement of its operations, ArBank has implemented a quality management system QMS based on ISO 9001 and an artificial intelligence management system AIMS based on the requirements of ISO/IEC
42001.
Audrey, an experienced auditor, led an internal audit focused on the AIMS within ArBank. She assessed the chatbots integrated into thebank's website and mobile app, analyzing communications using big data technology to identify potential noncompliance, fraud, orunethical conduct. Instead of relying solely on the information provided by the chatbots, Audrey sought out evidence that would eitherconfirm or challenge the validity of the data, ensuring her conclusions were based on reliable and accurate information. Her review ofselected chatbot interactions confirmed they met their intended purpose.
For the specific context of ArBank's operations, Audrey utilized an Al system to assess the efficiency of the bank's digital infrastructure,focusing on tasks critical to the Finance Department. This Al system was able to analyze the functionality of chatbots integrated intoArBank's website and mobile app to determine if it adheres to ISO/IEC 42001 requirements and internal policies governing customerservice in the banking sector.
In addition, Audrey conducted a deeper assessment of the bank's AIMS. Her evaluation included observing different stages of the AIMSlife cycle, from development to deployment, to ensure that roles and responsibilities were clearly defined and aligned with ArBank'soperational goals. She also evaluated the tools used to monitor and measure the performance of the AIMS.
Audrey continued the audit process by auditing ArBank's outsourced operations. Upon checking the contractual agreements between thetwo parties, Audrey decided that there was no need to gather audit evidence regarding the contractual agreement. She reviewed thecompany's processes for monitoring the quality of outsourced operations, determined whether appropriate governance processes are inplace with regard to the engagement of outsourced persons or organizations, andreviewed and evaluated the company's plans in case ofexpected or unexpected termination of the outsourcing agreement.
Based on the scenario above, answer the following question:
Question:
Based on Scenario 3, did Audrey perform a technical assessment during the audit?
- A. Yes, she performed a general assessment of ArBank's customer service performance
- B. No, only the certification body should perform technical assessments
- C. No, she only reviewed contractual agreements with outsourced service providers
- D. Yes, she conducted observations of the AIMS life cycle and evaluated the tools used to monitor its performance
正解:D
解説:
Audreyconducted a technical assessmentbecause she observed the AIMS lifecycle (development, deployment) and evaluated monitoring tools, as required:
* ISO/IEC 42001 Clause 9.2.2 ("Conducting Audits") mandates that auditors must assess the full lifecycle and technical effectiveness of AI systems.
* TheLead Auditor Manualnotes:"Technical assessments during AIMS audits must include evaluating controls for AI system monitoring, performance, and lifecycle stages." Reference:ISO/IEC 42001:2023 Clause 9.2.2; Lead Auditor Study Guide, Section 5 ("Technical Review during Audits").
質問 # 127
Scenario 8 (continued):
Scenario 8:
Scenario 8: InnovateSoft, headquartered in Berlin, Germany, is a software development company known for its innovative solutions andcommitment to excellence. It specializes in custom software solutions, development, design, testing, maintenance, and consulting,covering both mobile apps and web development.
Recently, the company underwent an audit to evaluate the effectiveness and compliance of its artificial intelligence management system AIMS against ISO/IEC 42001.
The audit team engaged with the auditee to discuss their findings and observations during the audit's final phases. After evaluating theevidence, the audit team presented their audit findings to InnovateSoft, highlighting the identified nonconformities.
Upon receiving the audit findings, InnovateSoft accepted the conclusions but expressed concerns about some findings inaccuratelyreflecting the efficiency of their software development processes. In response, the company provided new evidence and additionalinformation to alter the audit conclusions for a couple of minor nonconformities identified. After thorough consideration, the audit teamleader clarified that the new evidence did not significantly alter the core conclusions drawn for the nonconformities. Therefore, thecertification body issued a certification recommendation conditional upon the filing of corrective action plans without a prior visit.
InnovateSoft accepted the decision of the certification body. The top management of the company also sought suggestions from theaudit team on resolving the identified nonconformities. The audit team leader offered solutions to address the issues, fostering acollaborative effort between the auditors and InnovateSoft.During the closing meeting, the audit team covered key topics to enhance transparency. They clarified to InnovateSoft that the auditevidence was based on a sample, acknowledging the inherent uncertainty. The method and time frame of reporting and grading findingswere discussed to provide a structured overview of nonconformities. The certification body's process for handling nonconformities,including potential consequences, guided InnovateSoft on corrective actions. The time frame for presenting a plan for correction was communicated, emphasizing urgency. Insights into the certification body's post-audit activities were provided, ensuring ongoing support.
Lastly, the audit team briefed InnovateSoft on complaint and appeal handling.
InnovateSoft submitted the action plans for each nonconformity separately, describing only the detected issues and the correctiveactions planned to address the detected nonconformities. However, the submission slightly exceeded the specified period of 45 days setby the certification body, arriving three days later.
InnovateSoft explained this by attributing the delay to unexpected challengesencountered during the compilation of the action plans.
InnovateSoft submitted corrective action plans for nonconformities three days past the certification body's deadline of 45 days.
Question:
Based on Scenario 8, is InnovateSoft eligible for certification?
- A. Yes, the submission of the action plans can be delayed for up to 10 days
- B. Yes, it is up to the auditee to decide when to submit the action plans
- C. No, the action plans were not submitted within the specified period
正解:A
解説:
While ISO/IEC 17021-1 does not prescribe a strict number of days, certification bodiestypically allow minor grace periods, e.g., 5-10 days, based on internal policy.
* ISO/IEC 17021-1:2015 Clause 9.4.9requires that nonconformities must be addressedwithin a timeframe agreed by the certification body.
* If the delay is minor (e.g., 3 days), and the CB accepts it with justification, the certification process can still proceed.
* TheLead Auditor Manualnotes:"Minor extensions may be granted for corrective actions when justified and documented." Reference:ISO/IEC 17021-1:2015 Clause 9.4.9; ISO/IEC 42001 Lead Auditor Guide - Section 8 ("Certification Decision Timelines").
質問 # 128
According to scenario 9, was the audit team leader's decision to conduct a visit to ImoAI's premises acceptable?
Scenario 9: ImoAl, headquartered in California. USA, provides Al solutions for various industries such as finance, healthcare, retail, and manufacturing. Its clients include major financial institutions seeking Al powered fraud detection systems, healthcare providers leveraging Al for diagnostics and patient care, retailers optimizing supply chain management with Al forecasting, and manufacturers enhancing production efficiency through Al-driven automation.
ImoAl has recently undergone a certification audit to ensure that its artificial intelligence management system AIMS is in compliance with ISO/IEC 42001. During the audit, a major nonconformity related to data security protocols was identified, requiring urgent resolution.
ImoAl swiftly initiated corrective actions to address the
major nonconformity. The audit follow-up, in agreement with the auditee, was scheduled six weeks after the initial audit. As part of exploring alternatives to audit follow-up, the audit team leader chose to verify the effectiveness of the actions taken by the auditee by scheduling a specific visit to ImoAI's premises.
The follow-up audit involved a thorough evaluation of the effectiveness of these actions. The audit team leader thoroughly examined the corrections, corrective actions, and root cause analysis conducted by ImoAl to assess whether they adequately addressed the nonconformity identified during the initial audit.
In conjunction with the external audit follow-up, ImoAl engaged its internal auditing team to oversee the progress of corrective actions. The AIMS manager of ImoAl updated Ms. Rebecca Hayes, the internal auditor, on the status of corrections and corrective actions prompted by the nonconformity identified during the external audit. Subsequently, Ms. Hayes thoroughly reviewed these measures, analyzing the corrections, root causes, and effectiveness of the implemented actions.
Upon satisfactory validation of the action plans, ImoAl was recommended for certification.
- A. No, the audit team leader should have verified the effectiveness of the auditee's actions remotely
- B. No, the effectiveness of auditee's actions could have been verified during an upcoming surveillance audit
- C. Yes, the verification of corrections can be subject to a specific on-site visit at the auditee
正解:C
解説:
ISO/IEC 17021-1:2015 Clause 9.4.8 allows certification bodies to conduct an on-site follow-up audit when dealing with major nonconformities. The audit team leader has discretion to verify the effectiveness of corrective actions through documentation or via physical inspection, depending on the nature and severity of the nonconformity.
Since the issue involved data security - a critical operational area - an on-site verification is justified and often expected.
Reference:
ISO/IEC 17021-1:2015 Clause 9.4.8 - Follow-up on major nonconformities
ISO/IEC 42001:2023 Clause 6.3 - Evaluation of AI controls and verification of actions taken
\===========
質問 # 129
According to the core element of 'Privacy and Security,' what is essential when developing AI systems?
- A. Enhancing the graphical user interface
- B. Ensuring the protection of personal data and system security
- C. Increasing the efficiency of AI algorithms
- D. Reducing the development time
正解:B
解説:
ThePrivacy and Securityprinciple focuses on safeguardingpersonal dataand ensuring therobustness of AI systems against security threats.
As outlined inISO/IEC 42001:2023 - Clause 6.1.2 and 8.2.3, organizations must addressdata protection, cybersecurity, and access controlsthroughout the AI system lifecycle.
This is particularly relevant in contexts where AI systems handlesensitive or identifiable data, such as health, finance, or biometrics.
Reference: ISO/IEC 42001:2023 - Clause 6.1.2 (AI-related risks and impacts), Clause 8.2.3 (Controls for privacy, ethics, and security) PECB Lead Auditor Guide - Domain 1: "Trustworthy AI - Privacy and Security Requirements"
質問 # 130
Which phase involves the collection of objective evidence through interviews, observations, and examination of documents?
- A. Preparing the audit report
- B. Audit planning
- C. Conducting the audit
- D. Audit follow-up
正解:C
解説:
The Conducting the audit phase (Domain 5) is where the audit team actively collects objective evidence through:
* Interviews with relevant personnel
* Observation of processes and systems
* Examination of documents and records
This aligns with the procedures described in ISO 19011:2018 (Guidelines for Auditing Management Systems), which is referenced and applied in ISO/IEC 42001 auditing practices.
According to the PECB Lead Auditor Guide, Domain 5 explicitly outlines this activity as the main operational phase of the audit, aimed at evaluating conformity of the AI Management System with ISO/IEC
42001 requirements.
Reference: PECB Lead Auditor Guide - Domain 5: "Conducting the audit"
ISO 19011:2018 - Clauses 6.4.5 and 6.4.6 (Collecting and verifying information) ISO/IEC 42001:2023 - Clause 9.2.2 (Internal Audit Implementation)
質問 # 131
A retail company wants to implement a system that can predict customer buying behavior based on their browsing history and past purchases. Which AI concept would be most suitable for developing this predictive system?
- A. Computer Vision
- B. Machine Learning (ML)
- C. Natural Language Processing (NLP)
- D. Deep Learning (DL)
正解:B
解説:
Machine Learning (ML)is the most suitable AI concept in this scenario. ML focuses on developing algorithms that canlearn from structured or unstructured dataand make predictions based on historical patterns.
In this case, analyzing customerbrowsing history and purchase recordsfalls directly undersupervised learning, a subcategory of ML, which is typically used forpredictive modelingin retail (such as next-best- offer, product recommendation, or demand forecasting).
According to the PECB Lead Auditor Study Guide (Domain 1),ML is specifically referenced as the core techniquefor prediction systems, user behavior modeling, and data-driven decision-making systems.
Though Deep Learning (DL) is a subset of ML, it is often used for more complex pattern recognition tasks such as image or speech recognition, which is not explicitly required here.
質問 # 132
Question:
Which of the following describes a joint audit?
- A. When audits are conducted back-to-back for efficiency
- B. When two or more management systems are audited together at a single auditee
- C. When two or more auditing organizations cooperate to audit a single auditee
- D. When an internal audit and a third-party audit are conducted simultaneously
正解:C
解説:
AJoint Auditis when two or more audit organizationscooperateto audit the same auditee.
* ISO 19011:2018 Clause 3.9defines joint audit as:"An audit carried out by two or more auditing organizations cooperating to audit a single auditee."
* This is further echoed in ISO/IEC 42001:2023, which supports joint audits especially inmulti-country and consortium environments (Clause 9.2.1 reference to audit scope management).
Reference:ISO 19011:2018 Clause 3.9; ISO/IEC 42001:2023 Clause 9.2.1.
質問 # 133
......
あなたを余裕でISO-IEC-42001-Lead-Auditor試験合格させます!100%高合格率保証:https://www.jpntest.com/shiken/ISO-IEC-42001-Lead-Auditor-mondaishu
ISO-IEC-42001-Lead-Auditor問題集本日限定!無料アクセス可能に!:https://drive.google.com/open?id=1_70tk6N29bW6laVtYPcyfB2ig7zV6us5