During a third-party certification audit you are presented with a list of issues by an auditee. Which four of the following constitute 'external' issues in the context of a management system to ISO/IEC 27001:2022?
A. A reduction in grants as a result of a change in government policy
B. Increased absenteeism as a result of poor management
C. Poor levels of staff competence as a result of cuts in training expenditure
D. Higher labour costs as a result of an aging population
E. Inability to source raw materials due to government sanctions
F. Poor morale as a result of staff holidays being reduced
G. A fall in productivity linked to outdated production equipment
H. A rise in interest rates in response to high inflation
正解:A,D,E,H
解説: (Pass4Test メンバーにのみ表示されます)
質問 2:
You are performing an ISO 27001 ISMS surveillance audit at a residential nursing home, ABC Healthcare Services. ABC uses a healthcare mobile app designed and maintained by a supplier, WeCare, to monitor residents' well-being. During the audit, you learn that 90% erf the residents' family members regularly receive medical device advertisements from WeCare, by email and SMS once a week. The service agreement between ABC and WeCare prohibits the supplier from using residents' personal data. ABC has received many complaints from residents and their family members.
The Service Manager says that the complaints were investigated as an information security incident which found that they were justified. Corrective actions have been planned and implemented according to the nonconformity and corrective action management procedure.
You write a nonconformity "ABC failed to comply with information security control A.5.34 (Privacy and protection of PII) relating to the personal data of residents' and their family members. A supplier, WeCare, used residents' personal information to send advertisements to family members" Select three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity
A. ABC instructs all staff to follow the signed healthcare service agreement with residents' family members
B. ABC conducts a management review to take the feedback from residents' family members into consideration
C. The Service Manager provides evidence of analysis of the cause of nonconformity and how the ABC evaluates the effectiveness of implemented corrective actions
D. The Service Manager implements the corrective actions and Customer Service Representatives evaluate the effectiveness of implemented corrective actions
E. ABC needs to collect more evidence on how the organisation defines the management system scope and find out if they covered WeCare the medical device manufacturer
F. ABC needs to collect more evidence on how information security risk assessment relates to the identified nonconformities before concluding actions on the nonconformity
G. ABC identifies and checks compliance with all applicable legislation and contractual requirements involving third parties
H. ABC confirms that information security control A.5.34 is contained in the Statement of Applicability (SoA)
正解:C,D,G
解説: (Pass4Test メンバーにのみ表示されます)
質問 3:
You are performing an ISO 27001 ISMS surveillance audit at a residential nursing home, ABC Healthcare Services. ABC uses a healthcare mobile app designed and maintained by a supplier, WeCare, to monitor residents' well-being. During the audit, you learn that 90% of the residents' family members regularly receive medical device advertisements from WeCare, by email and SMS once a week. The service agreement between ABC and WeCare prohibits the supplier from using residents' personal data. ABC has received many complaints from residents and their family members.
The Service Manager says that the complaints were investigated as an information security incident which found that they were justified.
Corrective actions have been planned and implemented according to the nonconformity and corrective action management procedure.
You write a nonconformity "ABC failed to comply with information security control A.5.34 (Privacy and protection of PII) relating to the personal data of residents' and their family members. A supplier, WeCare, used residents' personal information to send advertisements to family members." Select three options of the corrections and corrective actions listed that you would expect ABC to make in response to the nonconformity.
A. ABC discontinues the use of the ABC Healthcare mobile app.
B. ABC trains all staff on the importance of maintaining information security protocols.
C. ABC cancels the service agreement with WeCare.
D. ABC asks an ISMS consultant to test the ABC Healthcare mobile app for protection against cyber-crime.
E. ABC introduces background checks on information security performance for all suppliers.
F. ABC periodically monitors compliance with all applicable legislation and contractual requirements involving third parties.
G. ABC confirms that information security control A.5.34 is contained in the Statement of Applicability (SoA).
H. ABC takes legal action against WeCare for breach of contract.
正解:C,E,F
解説: (Pass4Test メンバーにのみ表示されます)
質問 4:
The auditor was unable to identify that Company A hid their insecure network architecture. What type of audit risk is this?
A. Control
B. Detection
C. Inherent
正解:B
解説: (Pass4Test メンバーにのみ表示されます)
質問 5:
You are carrying out your first third-party ISMS surveillance audit as an Audit Team Leader. You are presently in the auditee's data centre with another member of your audit team.
You are currently in a large room that is subdivided into several smaller rooms, each of which has a numeric combination lock and swipe card reader on the door. You notice two external contractors using a swipe card and combination number provided by the centre's reception desk to gain access to a client's suite to carry out authorised electrical repairs.
You go to reception and ask to see the door access record for the client's suite. This indicates only one card was swiped. You ask the receptionist and they reply, "yes it's a common problem. We ask everyone to swipe their cards but with contractors especially, one tends to swipe and the rest simply 'tailgate' their way in" but we know who they are from the reception sign-in.
Based on the scenario above which one of the following actions would you now take?
A. Raise a nonconformity against control A.5.20 'addressing information security in supplier relationships' as information security requirements have not been agreed upon with the supplier
B. Determine whether any additional effective arrangements are in place to verify individual access to secure areas e.g. CCTV
C. Raise an opportunity for improvement that contractors must be accompanied at all times when accessing secure facilities
D. Raise an opportunity for improvement to have a large sign in reception reminding everyone requiring access must use their swipe card at all times
E. Raise a nonconformity against control A.7.6 'working in secure areas' as security measures for working in secure areas have not been defined
F. Raise a nonconformity against control A.7.1 'security perimiters' as a secure area is not adequately protected
正解:B
解説: (Pass4Test メンバーにのみ表示されます)
Aihara -
出題内容は単純に暗記すれば解けるものと、仕組みを理解していないと解けないものがありますが、それらを仕分けて掲載されているので受かるためには何を覚え、何を理解してのぞむべきかがわかり、効率的にISO-IEC-27001-Lead-Auditor勉強することができます。