1050 お客様のコメント
質問 1:
You are an experienced ISMS audit team leader. You are currently conducting a third-party surveillance audit of an international haulage organisation. You have sampled four internal audit reports which state:
Report 1 - Auditor: Mr James.
Over the year the organisation has failed to meet its promised delivery dates on 23 occasions out of 100. This is against a target of '95% of deliveries on time'.
Grading - Minor
Corrective Action due: Within 9 months.
Report 2 - Auditor: Mr James.
Between January and March, it was noted 125 complaints were received about the Service Desk Team. Clients accused them of being rude and unresponsive.
Grading - Minor
Corrective Action due: Within 12 months.
Report 3 - Auditor: Mr James.
Of the 40 customer orders received last month, 38 were correctly processed. Of the remaining 2, one was missing a signature and one was missing a date.
Grading -
Corrections due: Within 3 weeks
Report 4 - Auditor: Mr Rogers.
Of the 30 personnel records examined, 26 were found to be fully completed whilst the remaining 4 were all missing the individual's start date.
Grading - Major
Corrections due: Within 1 week
Which four of the options demonstrate the concerns you would have about these reports?
A. I would be concerned that timing for addressing the nonconformities is significantly different in the four reports
B. I would be concerned because action taken to address a major nonconformity should always be completed sooner than action taken to address minor nonconformities
C. I would have a concern that no nonconformity review was conducted
D. I would be concerned that the auditors focussed only on information security processes
E. I would be concerned as to whether the auditors understand the difference between corrections and corrective actions
F. I would be concerned that no grading is recorded for Report 3. This could indicate that the auditor did not complete the report correctly or that they failed to make a determination as to severity
G. I would be concerned as to whether criteria for grading nonconformities are in existence in this organisation
H. I would have a concern that one auditor appeared to be conducting most of the internal audits
正解:A,E,F,G
質問 2:
What is the main difference between qualitative and quantitative evidence?
A. Qualitative evidence is used to make estimations about the whole population, while quantitative evidence focuses on evaluating if a process complies with standard requirements
B. Qualitative evidence originates from the analysis of a sample related to determining the audit criteria, while quantitative evidence originates from the analysis of unquantifiable information
C. Qualitative evidence focuses on evaluating if a process or control complies with the audit criteria, while quantitative evidence aims to determine if a process in operation is functional and effective
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 3:
Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies.
The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard.
But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.
Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.
Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.
The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.
One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the UpNefs certification was suspended.
Based on the scenario above, answer the following question:
UpNet ensured independence, objectivity, and advisory activities from the internal audit. Is this action acceptable?
A. No, because internal audits should be independent of the audited activities
B. No, because the internal audit function was outsourced
C. Yes, because internal audits have an advisory role
正解:C
質問 4:
Which option below is correct about the audit plan?
A. The audit plan should be flexible to allow for modifications
B. The audit plan involves the use of several audit procedures
C. The auditee's top management prepares the audit plan
正解:A
解説: (Pass4Test メンバーにのみ表示されます)
質問 5:
Which two of the following phrases would apply to "plan" in relation to the Plan-Do-Check-Act cycle for a business process?
A. Training staff
B. Retaining documentation
C. Organising changes
D. Providing ICT assets
E. Setting objectives
F. Retaining documentation
正解:A,E
解説: (Pass4Test メンバーにのみ表示されます)
You are an experienced ISMS audit team leader. You are currently conducting a third-party surveillance audit of an international haulage organisation. You have sampled four internal audit reports which state:
Report 1 - Auditor: Mr James.
Over the year the organisation has failed to meet its promised delivery dates on 23 occasions out of 100. This is against a target of '95% of deliveries on time'.
Grading - Minor
Corrective Action due: Within 9 months.
Report 2 - Auditor: Mr James.
Between January and March, it was noted 125 complaints were received about the Service Desk Team. Clients accused them of being rude and unresponsive.
Grading - Minor
Corrective Action due: Within 12 months.
Report 3 - Auditor: Mr James.
Of the 40 customer orders received last month, 38 were correctly processed. Of the remaining 2, one was missing a signature and one was missing a date.
Grading -
Corrections due: Within 3 weeks
Report 4 - Auditor: Mr Rogers.
Of the 30 personnel records examined, 26 were found to be fully completed whilst the remaining 4 were all missing the individual's start date.
Grading - Major
Corrections due: Within 1 week
Which four of the options demonstrate the concerns you would have about these reports?
A. I would be concerned that timing for addressing the nonconformities is significantly different in the four reports
B. I would be concerned because action taken to address a major nonconformity should always be completed sooner than action taken to address minor nonconformities
C. I would have a concern that no nonconformity review was conducted
D. I would be concerned that the auditors focussed only on information security processes
E. I would be concerned as to whether the auditors understand the difference between corrections and corrective actions
F. I would be concerned that no grading is recorded for Report 3. This could indicate that the auditor did not complete the report correctly or that they failed to make a determination as to severity
G. I would be concerned as to whether criteria for grading nonconformities are in existence in this organisation
H. I would have a concern that one auditor appeared to be conducting most of the internal audits
正解:A,E,F,G
質問 2:
What is the main difference between qualitative and quantitative evidence?
A. Qualitative evidence is used to make estimations about the whole population, while quantitative evidence focuses on evaluating if a process complies with standard requirements
B. Qualitative evidence originates from the analysis of a sample related to determining the audit criteria, while quantitative evidence originates from the analysis of unquantifiable information
C. Qualitative evidence focuses on evaluating if a process or control complies with the audit criteria, while quantitative evidence aims to determine if a process in operation is functional and effective
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 3:
Scenario 9: UpNet, a networking company, has been certified against ISO/IEC 27001. It provides network security, virtualization, cloud computing, network hardware, network management software, and networking technologies.
The company's recognition has increased drastically since gaining ISO/IEC 27001 certification. The certification confirmed the maturity of UpNefs operations and its compliance with a widely recognized and accepted standard.
But not everything ended after the certification. UpNet continually reviewed and enhanced its security controls and the overall effectiveness and efficiency of the ISMS by conducting internal audits. The top management was not willing to employ a full-time team of internal auditors, so they decided to outsource the internal audit function. This form of internal audits ensured independence, objectivity, and that they had an advisory role about the continual improvement of the ISMS.
Not long after the initial certification audit, the company created a new department specialized in data and storage products. They offered routers and switches optimized for data centers and software-based networking devices, such as network virtualization and network security appliances. This caused changes to the operations of the other departments already covered in the ISMS certification scope.
Therefore. UpNet initiated a risk assessment process and an internal audit. Following the internal audit result, the company confirmed the effectiveness and efficiency of the existing and new processes and controls.
The top management decided to include the new department in the certification scope since it complies with ISO/IEC 27001 requirements. UpNet announced that it is ISO/IEC 27001 certified and the certification scope encompasses the whole company.
One year after the initial certification audit, the certification body conducted another audit of UpNefs ISMS. This audit aimed to determine the UpNefs ISMS fulfillment of specified ISO/IEC 27001 requirements and ensure that the ISMS is being continually improved. The audit team confirmed that the certified ISMS continues to fulfill the requirements of the standard. Nonetheless, the new department caused a significant impact on governing the management system. Moreover, the certification body was not informed about any changes. Thus, the UpNefs certification was suspended.
Based on the scenario above, answer the following question:
UpNet ensured independence, objectivity, and advisory activities from the internal audit. Is this action acceptable?
A. No, because internal audits should be independent of the audited activities
B. No, because the internal audit function was outsourced
C. Yes, because internal audits have an advisory role
正解:C
質問 4:
Which option below is correct about the audit plan?
A. The audit plan should be flexible to allow for modifications
B. The audit plan involves the use of several audit procedures
C. The auditee's top management prepares the audit plan
正解:A
解説: (Pass4Test メンバーにのみ表示されます)
質問 5:
Which two of the following phrases would apply to "plan" in relation to the Plan-Do-Check-Act cycle for a business process?
A. Training staff
B. Retaining documentation
C. Organising changes
D. Providing ICT assets
E. Setting objectives
F. Retaining documentation
正解:A,E
解説: (Pass4Test メンバーにのみ表示されます)
瀬能** -
55歳の私が簡単ISO-IEC-27001-Lead-Auditor合格出来ました。
一度落ちて、再チャレンジでしたが、この本はわかりやすかったです。