PECB ISO-IEC-27001-Lead-Auditor-CN Real 2025 Braindumps Mock Exam Dumps [Q138-Q159]

PECB ISO-IEC-27001-Lead-Auditor-CN Real 2025 Braindumps Mock Exam Dumps

ISO-IEC-27001-Lead-Auditor-CN Exam Questions | Real ISO-IEC-27001-Lead-Auditor-CN Practice Dumps

NEW QUESTION # 138
認證審核的審核計畫不需要下列哪兩個資訊選項？

• A. 審核清單
• B. 文件審查
• C. 管理系統所代表的工作經驗
• D. 審核計劃
• E. 抽樣計劃
• F. 組織的財務報表

Answer: C,F

Explanation:
These two options are not required for audit planning of a certification audit, as they are not relevant to the audit objectives, scope, criteria, and methods. The working experience of the management system representative is not a requirement of ISO/IEC 27001, nor does it affect the conformity or effectiveness of the ISMS. The organisation's financial statement is not part of the ISMS documentation, nor does it provide evidence of the ISMS performance or improvement. The other options are required for audit planning, as they help to determine the audit activities, resources, schedule, and sampling strategy. References: PECB Candidate Handbook1, page 19-20; ISO 9001 Auditing Practices Group Guidance on2, page 1-2; ISO/IEC
27001:2022 (en)3, clause 9.2.

NEW QUESTION # 139
您是一位經驗豐富的 ISMS 審核員，目前正在為正在接受首次初始認證審核的 ISMS 審核員提供支援。她問您在審核組織的資訊安全目標時應該驗證什麼。您詢問她在審核清單中包含了哪些內容，她提供了以下答案。
對於 ISO/IEC 27001 的符合性，您會擔心以下哪三個答案：
2022 年？

• A. 我將檢查是否已為每個目標設定完成日期，以及是否有任何目標缺少「實現」日期
• B. 我將檢查所有資訊安全目標是否都是可衡量的。如果它們不可衡量，組織將無法追蹤它們的進展
• C. 我將檢查是否有適當的流程來定期重新審視資訊安全目標，以便在情況需要時修改或取消這些目標
• D. 我將檢查如何將每個資訊安全目標傳達給需要了解該目標的人員，以便實現該目標
• E. 我將檢查是否已確定實現每個目標所需的預算、人力和材料
• F. 我將檢查高階主管是否已確定本年度的資訊安全目標。如果沒有，我將檢查該任務是否已按計劃完成
• G. 我將檢查資訊安全目標是否寫在紙上，以便每個人都清楚需要實現什麼、如何實現以及何時實現

Answer: A,F,G

Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 6.2 requires an organization to establish information security objectives at relevant functions and levels1. The objectives should be consistent with the information security policy; measurable (if practicable) or capable of being evaluated; monitored; communicated; updated as appropriate1. Therefore, when auditing an organization's information security objectives, an ISMS auditor should verify these aspects in accordance with the audit criteria.
Three responses from the ISMS auditor in training that would cause concern in relation to conformity with ISO/IEC 27001:2022 are:
* I am going to check that top management have determined the Information Security objectives for the current year. If not, I will check that this task has been programmed to be completed: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives at relevant functions and levels, not just at the top management level. It also implies that the auditor in training is willing to accept a delay or postponement in determining the information security objectives, which may affect the ISMS performance and effectiveness.
* I am going to check that the Information Security objectives are written down on paper so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives that are measurable (if practicable) or capable of being evaluated, not just written down on paper. It also implies that the auditor in training is not aware of the flexibility and suitability of different media or formats for documenting and communicating information security objectives, such as electronic or digital records, posters, newsletters, etc.
* I am going to check that a completion date has been set for each objective and that there are no objectives with missing 'achieve by' dates: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives that are monitored, not just completed by a certain date. It also implies that the auditor in training is not aware of the possibility and necessity of updating information security objectives as appropriate, such as when changes occur in the internal or external context of the organization, or when new risks or opportunities arise.
The other responses from the ISMS auditor in training are acceptable and do not cause concern in relation to conformity with ISO/IEC 27001:2022. For example, checking how each Information Security objective has been communicated to those who need to be aware of it in order for the objective to be achieved is relevant to verifying the communication aspect of clause 6.2; checking that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this is relevant to verifying the updating aspect of clause 6.2; checking that the necessary budget, manpower and materials to achieve each objective has been determined is relevant to verifying the planning aspect of clause 6.2; checking that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them is relevant to verifying the measurability aspect of clause 6.2. References: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements

NEW QUESTION # 140
您正在對客戶的 ISMS 進行第三方監督審核。您目前位於資料中心的安全儲存區域，組織的客戶可以暫時定位進出站點的設備。該設備包含在上鎖的櫃子內，每個櫃子都分配給一個特定的客戶端。
你用眼角的餘光發現儲藏區外門附近有動靜。隨後是一聲巨響。你問導遊發生了什麼事。他們告訴您，最近的高降雨量導致當地河流水位上升，並導致老鼠氾濫。發出噪音的是專門的害蟲控制致暈裝置被觸發。你檢查角落的裝置，發現裡面有一隻一動也不動的大老鼠。
接下來應該採取哪三項行動？

• A. 調查害蟲侵擾是否是已識別的風險，如果是，則應採取哪些風險處理措施
• B. 檢查客戶機櫃是否有囓齒動物進入的跡象，並將您的發現記錄為審計證據
• C. 與指南核實他們打算啟動組織的資訊安全事件流程
• D. 確定大量降雨是否對資料中心營運產生其他影響，例如
  基礎設施損壞、客戶訪問問題、調用業務連續性安排
• E. 針對控制 7.2 實體條目提出不符合項
• F. 針對控制 7.4 實體安全監控提出不符合項
• G. 協助導遊人道處置老鼠並重置設備
• H. 不採取進一步行動。這是 ISMS 審核，而非環境管理系統審核

Answer: A,C,D

Explanation:
The appropriate actions to take next are to investigate whether pest infestation is an identified risk and if so, what risk treatment is to be applied, to determine whether the high levels of rainfall have had other impacts on data centre operations, and to check with the guide that they intend to initiate the organisation's information security incident process. These actions are relevant to the ISMS audit objectives and criteria, as they relate to the organisation's risk assessment and treatment, security performance, and incident management processes.
The other actions are either not within the scope of the ISMS audit, not required by the ISO/IEC 27001 standard, or not the responsibility of the auditor. References: PECB Candidate Handbook1, page 21-22; ISO
/IEC 27001:2022 (en)2, clauses 6.1, 8.2, 9.1, and 10.2.

NEW QUESTION # 141
在發生資訊安全事件時，應遵守系統使用者的角色和責任，但以下情況除外：

• A. 讓所有員工了解資訊安全事件詳細信息
• B. 如有需要，在調查期間與調查人員合作
• C. 必要時保留證據
• D. 透過服務台發現後通報可疑或已知事件

Answer: A

Explanation:
The role and responsibility that system users should not observe in the event of an information security incident is D: make the information security incident details known to all employees. This is not a proper role or responsibility for system users, as it could cause unnecessary panic, confusion or speculation among employees who are not involved in the incident response process. It could also compromise the confidentiality and integrity of the incident information, which could be sensitive or confidential in nature. Making the information security incident details known to all employees could also violate the information security policies and procedures of the organization, which may require a certain level of discretion and confidentiality when dealing with incidents. The other roles and responsibilities are correct, as they describe what system users should do in the event of an information security incident, such as reporting the incident to the Servicedesk (A), preserving evidence if necessary (B), and cooperating with investigative personnel if needed
. These roles and responsibilities help to ensure a quick, effective and orderly response to information security incidents. ISO/IEC 27001:2022 requires the organization to implement procedures for reporting and managing information security incidents (see clause A.16.1). References: CQI & IRCA Certified ISO/IEC
27001:2022 Lead Auditor Training Course, ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements, What is Information Security Incident Management?

NEW QUESTION # 142
您是一位經驗豐富的 ISMS 審核團隊領導，為 ISMS 審核員提供訓練指導。他們被要求對外部提供者進行評估，並準備了一份包含以下活動的清單。他們要求您查看他們的清單，以確認他們提議的行動是適當的。
他們受邀參加的審核是對資料中心的第三方監督審核。資料中心代理是更廣泛的電信集團的一部分。集團內的每個資料中心都運行自己的 ISMS 並持有自己的憑證。
選擇與 ISO/IEC 27001:2022 有關外部提供者的要求相關的三個選項。

• A. 我將確保組織已確定需要與外部提供者就 ISMS 進行溝通
• B. 我將確保組織對其外部提供者進行排名，並將大部分工作分配給那些評級最高的供應商
• C. 我將確保該組織為其確定的對於保護其資訊的機密性、完整性和可訪問性至關重要的每個流程都有一個備用外部提供商
• D. 我將確保外部提供者制定書面流程，以通知組織因使用其產品或服務而產生的任何風險
• E. 我將確保最高管理階層為提供外部 ISMS 流程和內部 ISMS 流程的人員分配角色和職責
• F. 我將把審核活動限制在外部提供的流程中，因為不需要審核外部提供的產品或服務
• G. 我會檢查其他資料中心是否被視為外部供應商，即使它們屬於同一電信集團
• H. 我將確保組織定期監控、審查和評估外部提供者的績效

Answer: D,G,H

Explanation:
* A. I will check the other data centres are treated as external providers, even though they are part of the same telecommunication group. This is appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to ensure that externally provided processes, products or services that are relevant to the information security management system are controlled. Externally provided processes, products or services are those that are provided by any external party, regardless of the degree of its relationship with the organisation. Therefore, the other data centres within the same telecommunication group should be treated as external providers and subject to the same controls as any other external provider12
* B. I will ensure external providers have a documented process in place to notify the organisation of any risks arising from the use of its products or services. This is appropriate because clause 8.1.4 of ISO
27001:2022 requires the organisation to implement appropriate contractual requirements related to information security with external providers. One of the contractual requirements could be the obligation of the external provider to notify the organisation of any risks arising from the use of its products or services, such as security incidents, vulnerabilities, or changes that could affect the information security of the organisation. The external provider should have a documented process in place to ensure that such notification is timely, accurate, and complete12
* E. I will ensure the organisation is regularly monitoring, reviewing and evaluating external provider performance. This is appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to monitor, review and evaluate the performance and effectiveness of the externally provided processes, products or services. The organisation should have a process in place to measure and verify the conformity and suitability of the external provider's deliverables and activities, and to provide feedback and improvement actions as necessary. The organisation should also maintain records of the monitoring, review and evaluation results12
* F. I will ensure the organisation has determined the need to communicate with external providers regarding the ISMS. This is appropriate because clause 7.4.2 of ISO 27001:2022 requires the organisation to determine the need for internal and external communications relevant to the information security management system, including the communication with external providers. The organisation should define the purpose, content, frequency, methods, and responsibilities for such communication, and ensure that it is consistent with the information security policy and objectives. The organisation should also retain documented information of the communication as evidence of its implementation12 The following activities are not appropriate for the assessment of external providers according to ISO 27001:
2022:
* C. I will ensure that the organisation has a reserve external provider for each process it has identified as critical to preservation of the confidentiality, integrity and accessibility of its information. This is not appropriate because ISO 27001:2022 does not require the organisation to have a reserve external provider for each critical process. The organisation may choose to have a contingency plan or a backup solution in case of failure or disruption of the external provider, but this is not a mandatory requirement. The organisation should assess the risks and opportunities associated with the external provider and determine the appropriate treatment options, which may or may not include having a reserve external provider12
* D. I will limit my audit activity to externally provided processes as there is no need to audit externally provided products or services. This is not appropriate because clause 8.1.4 of ISO 27001:2022 requires the organisation to control the externally provided processes, products or services that are relevant to the information security management system. Externally provided products or services may include software, hardware, data, or cloud services that could affect the information security of the organisation. Therefore, the audit activity should cover both externally provided processes and products or services, as applicable12
* G. I will ensure that top management have assigned roles and responsibilities for those providing external ISMS processes as well as internal ISMS processes. This is not appropriate because clause 5.3 of ISO 27001:2022 requires the top management to assign the roles and responsibilities for the information security management system within the organisation, not for the external providers. The external providers are responsible for assigning their own roles and responsibilities for the processes, products or services they provide to the organisation. The organisation should ensure that the external providers have adequate competence and awareness for their roles and responsibilities, and that they are contractually bound to comply with the information security requirements of the organisation12
* H. I will ensure that the organisation ranks its external providers and allocates the majority of its work to those providers who are rated the highest. This is not appropriate because ISO 27001:2022 does not require the organisation to rank its external providers or to allocate its work based on such ranking. The organisation may choose to evaluate and compare the performance and effectiveness of its external providers, but this is not a mandatory requirement. The organisation should select and use its external providers based on the information security criteria and objectives that are relevant to the organisation12 References:
1: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Course by CQI and IRCA Certified Training 1 2: ISO/IEC 27001 Lead Auditor Training Course by PECB 2

NEW QUESTION # 143
下列哪兩項敘述是正確的？

• A. 審核計劃描述了審核的活動和安排。
• B. 審核計畫描述了為特定時間範圍規劃並針對特定目的的一組一個或多個審核的安排。
• C. 一旦達成一致，審核計畫就固定下來，在審核過程中不能更改。
• D. 審核計劃描述了審核的活動和安排。
• E. 審核小組負責人負責管理審核計畫。
• F. 審核計畫描述了為特定時間範圍並針對特定目的而規劃的一組一項或多項審核的安排。

Answer: D,F

Explanation:
The two true statements are B and E. According to ISO 19011:2022, the audit plan describes the arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose1, while the audit programme describes the activities and arrangements for an audit2. The other options are either false or irrelevant. The responsibility for managing the audit programme rests with the audit programme manager, not the audit team leader (A)3. The audit plan can be changed during the conducting of the audit if necessary, with the agreement of the audit client and the auditee 4. The audit programme and the audit plan are not the same thing, so D and F are incorrect. References: 1: ISO 19011:2022, Guidelines for auditing management systems, Clause 3.8 \n2: ISO 19011:2022, Guidelines for auditing management systems, Clause
3.9 \n3: ISO 19011:2022, Guidelines for auditing management systems, Clause 5.3.1 \n4: ISO 19011:2022, Guidelines for auditing management systems, Clause 6.4.2

NEW QUESTION # 144
情境 4：SendPay 是一家金融公司，透過代理商和金融機構網路提供服務。他們的主要服務之一是在全球範圍內轉帳。 SendPay 作為一家新公司，致力於為客戶提供最優質的服務。由於該公司提供國際交易，因此要求客戶提供個人信息，例如身份、交易原因以及完成交易可能需要的其他詳細信息。因此，SendPay 已實施安全措施來保護客戶的訊息，包括偵測、調查和回應可能出現的任何資訊安全威脅。他們對提供安全服務的承諾也體現在 ISMS 實施過程中，該公司投入了大量時間和資源。
去年，SendPay 推出了他們的數位平台，允許透過智慧型手機或筆記型電腦等電子設備進行貨幣交易，而無需支付額外費用。透過這個平台，SendPay 的客戶可以隨時隨地發送和接收資金。該數位平台幫助SendPay簡化了公司營運並進一步拓展了業務。當時SendPay正在外包其軟體業務，因此該專案是由外包公司的軟體開發團隊完成的。
該團隊還負責維護 SendPay 的技術基礎設施。
最近，該公司在實施 ISMS 近一年後申請了 ISO/IEC 27001 認證。他們與符合其標準的認證機構簽訂了合約。不久之後，認證機構任命了一個由四名審核員組成的團隊來審核 SendPay 的 ISMS。
審計過程中，發現以下情況：
1.外包軟體公司在未事先通知的情況下終止了與SendPay的合約。結果，SendPay 無法立即將服務恢復到內部，其營運中斷了五天。審計人員要求 SendPay 的代表提供證據，證明他們在合約終止的情況下有計劃遵循。這些代表沒有提供任何書面證據，但在接受審計時，他們告訴審計人員，SendPay的高層已經確定了另外兩家軟體開發公司，如果類似情況再次發生，可以立即提供服務。
2. 沒有證據顯示對外包給軟體開發公司的活動進行了監控。 SendPay 的代表再次告訴審計人員，他們定期與軟體開發公司溝通，並適當地告知可能發生的任何變更。
3.防火牆測試未發現異常狀況。審核員測試了防火牆配置，以確定這些服務提供的安全等級。他們使用資料包分析器來測試防火牆策略，這使他們能夠即時檢查發送或接收的資料包。
根據該場景，回答以下問題：
關於觀察到的第三種情況，審計人員自己測試了SendPay網路中實施的防火牆的配置。您如何描述這種情況？請參閱場景 4。

• A. 可接受的，需要技術證據來驗證技術流程的運作
• B. 不可接受，審核員應僅觀察系統或設備配置的測試，而不應自行測試系統
• C. 不可接受，審核期間不應測試防火牆配置，因為這可能會影響系統的運作

Answer: A

Explanation:
It is acceptable and often necessary for auditors to test technical controls such as firewalls to validate the operation and effectiveness of these processes during an ISMS audit. This hands-on testing provides concrete, technical evidence of the security measures' performance.
References: ISO/IEC 27001:2013 Standard, Clause A.13 (Communications security), ISO 19011:2018, Guidelines for auditing management systems

NEW QUESTION # 145
將正確的責任與第二方審核的每位參與者配對：

Answer:

Explanation:

Explanation:

The correct responsibility with each participant of a second-party audit is:
* Prepares the audit report: Audit Team Leader. The audit team leader is responsible for coordinating the audit activities, communicating with the auditee and the customer, and preparing and delivering the audit report that summarizes the audit findings and conclusions1.
* Prepares audit checklists for use during the audit: Auditor. The auditor is responsible for collecting and verifying objective evidence during the audit, using audit checklists as a tool to guide the audit process and ensure that all relevant aspects of the audit criteria are covered1.
* Supports an auditor and provides feedback on their experience: Auditor in training. The auditor in training is a person who is learning how to perform audits under the supervision of an experienced auditor. The auditor in training supports the auditor by observing and participating in the audit activities, and provides feedback on their experience to improve their skills and competence1.
* Follows-up on audit findings within an agreed timeframe: Auditee. The auditee is the organisation that is being audited by the customer or a third party on behalf of the customer. The auditee is responsible for providing access and cooperation to the auditors, and for following up on the audit findings within an agreed timeframe, by implementing corrective actions or improvement measures as needed1.
* Provides an independent account of the audit but does not participate in the audit: Observer. The observer is a person who accompanies the audit team but does not participate in the audit activities. The observer may be a representative of the customer, a regulatory body, or another interested party. The observer provides an independent account of the audit but does not interfere with or influence the audit process or outcome1.
* Escorts the auditors but does not participate in the audit: Guide. The guide is a person who is appointed by the auditee to assist the audit team during the audit. The guide may escort the auditors to different locations, facilitate access to information and personnel, or provide clarification or explanation as requested by the auditors. The guide does not participate in the audit or influence its results1.

NEW QUESTION # 146
您正在一家提供醫療保健服務的住宅療養院進行 ISMS 審核。審核計畫的下一步是驗證資訊安全事件管理流程。 IT 安全經理介紹了資訊安全事件管理程序，並解釋該流程基於 ISO/IEC 27035-1:2016。
您查看該文件並注意到一條聲明「任何資訊安全弱點、事件和事故應在識別後 1 小時內報告給聯絡人 (PoC)」。在訪問員工時，您發現大家對「弱點、事件、事件」意義的理解有差異。
您從事件追蹤系統中抽取過去 6 個月的事件報告記錄樣本，總結結果如下表所示。

您想進一步調查其他領域以收集更多審計證據。選擇兩個不會出現在您的審核追蹤中的選項。

• A. 收集更多有關組織如何確定事件恢復時間的證據。 （與控制措施 A.5.27 相關）
• B. 收集有關人力資源經理如何以及何時支付贖金以解鎖個人行動資料（即信用卡和銀行轉帳）的更多證據。 （與控制措施 A.5.26 相關）
• C. 透過訪問更多員工了解他們對報告流程的理解來收集更多證據。
  （與控制措施 A.6.8 相關）
• D. 收集更多有關醫療保健監測服務要求的證據。 （與第4.2條相關）
• E. 收集更多證據，說明組織如何確定事件發生後無需採取進一步行動。 （與控制措施 A.5.26 相關）
• F. 收集更多關於公司如何以及何時支付贖金以解鎖公司手機和資料（即信用卡和銀行轉帳）的證據。 （與控制措施 A.5.26 相關）
• G. 收集更多有關事件恢復程序的證據。 （與控制措施 A.5.26 相關）

Answer: D,F

Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 4.2 requires an organization to determine the needs and expectations of interested parties that are relevant to its ISMS1. This includes identifying the legal, regulatory, contractual and other requirements that apply to its information security activities1. Therefore, collecting more evidence on what the service requirements of healthcare monitoring are may not be relevant to verifying the information security incident management process, as it is not directly related to the audit objective or criteria. This option will not be in the audit trail.

NEW QUESTION # 147
下列哪一種情況代表威脅？

• A. HackX 使用並分發盜版軟體
• B. 僅向組織的 IT 團隊成員提供資訊安全培訓
• C. 駭客透過破解密碼入侵了管理員帳戶

Answer: C

Explanation:
A threat in information security is any circumstance or event with the potential to cause harm to an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service. The situation where hackers compromise an administrator's account by cracking the password represents a direct threat to the security of the information system. References: = This explanation is based on general information security principles and the typical content covered in ISMS ISO/IEC 27001 Lead Auditor training and certification programs. It aligns with the knowledge expected of a professional with an ISO/IEC
27001 Lead Auditor certification

NEW QUESTION # 148
對於組織和利害關係人來說，第三方認可的 ISO/IEC 27001:2022 資訊安全管理系統認證有哪兩個選項的好處？

• A. 第三方認可的認證表示組織的 ICT 產品受到保護並獲得認證
• B. 第三方認可的認證確保組織的 IT 系統免受外部幹擾
• C. 第三方認可的認證表示組織符合相關方期望的法律和法規要求
• D. 第三方認可的認證確保組織獲得更多客戶
• E. 第三方認可的認證顯示該組織的管理系統採用了系統的資訊安全方法
• F. 第三方認可的認證表示組織的管理系統已維護且有效

Answer: E,F

Explanation:
Third-party accredited certification of information security management systems to ISO/IEC 27001:2022 provides assurance to organisations and interested parties that the organisation's management system is maintained and effective, meaning that it conforms to the requirements of the standard, meets the organisation' s objectives and policies, and addresses the risks and opportunities related to information security. Third-party accredited certification also demonstrates that the organisation's management system adopted a systematic approach to information security, meaning that it follows the Plan-Do-Check-Act (PDCA) cycle, applies the risk-based thinking principle, and considers the context and needs of the organisation and its stakeholders

NEW QUESTION # 149
您是審計團隊負責人，對一家線上保險公司進行第三方審計。在第一階段，您發現組織採取了非常謹慎的風險方法，並將 ISO/IEC 27001:2022 附錄 A 中的所有資訊安全控制措施納入其適用性聲明中。
在第二階段審核期間，您的審核團隊發現沒有證據顯示有實施三項控制措施（5.3 職責分離、6.1 篩選、7.12 佈線安全）的風險處理計畫。您針對 ISO 27001:2022 的第 6.1.3.e 條提出了不符合項。
在末次會議上，技術總監發布了修訂後的適用性聲明的摘錄（如圖所示），並要求撤回不合格項。

選擇審核組長對技術總監要求的正確回答的三個選項。

• A. 告知技術總監，一旦提出不合格項，就無法撤回。
• B. 說明有必要進行後續審核，以審查更新後的適用性聲明的證據。
• C. 建議技術總監該不合格項必須成立，因為所獲得的證據是明確的。
• D. 建議管理階層在審核員有更多時間時對所提供的資訊進行審核。
• E. 詢問提出問題的審核員關於您應如何回應該請求的意見。
• F. 通知技術總監，不合格項將改為改善機會。
• G. 通知技術總監，他的請求將包含在審核報告中。
• H. 審查產生的文件並撤回不合格項。

Answer: B,C,G

Explanation:
The three options of the correct responses of an audit team leader to the request of the Technical Director are:
* B. Advise the Technical Director that his request will be included in the audit report.
* D. Advise the Technical Director that the nonconformity must stand since the evidence obtained for it was clear.
* H. State that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability.
* B. This response is correct because the audit team leader should document the request of the Technical Director and include it in the audit report, along with the audit findings and conclusions12. This will ensure transparency and traceability of the audit process and the audit results.
* D. This response is correct because the audit team leader should not withdraw the nonconformity based on the amended Statement of Applicability alone. The nonconformity was raised against clause 6.1.3.e of ISO 27001:2022, which requires the organisation to produce and maintain a risk treatment plan that defines how the information security risks are treated, including the controls selected and their implementation status34. The Statement of Applicability is only one part of the risk treatment plan, and it does not provide sufficient evidence that the controls have been implemented effectively. The audit team leader should base the nonconformity on the objective evidence obtained during the audit, not on the subjective claims of the auditee12.
* H. This response is correct because the audit team leader should state that a follow up audit will be necessary to review the evidence for the updated Statement of Applicability. A follow up audit is an audit that is conducted after a previous audit to verify the implementation and effectiveness of the corrective actions and/or opportunities for improvement that were agreed upon as a result of the previous audit56. The follow up audit should seek to ensure that the nonconformity has been effectively addressed and that the ISMS is compliant and effective. The follow up audit should also consider any new or changed risks or requirements that may affect the ISMS56.
References:
1: PECB Candidate Handbook - ISO 27001 Lead Auditor, page 25 2: ISO 19011:2018 - Guidelines for auditing management systems, clause 6.7 3: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, clause 6.1.3.e 4: ISO/IEC 27005:
2022 - Information technology - Security techniques - Information security risk management, clause 8.3.2
5: PECB Candidate Handbook - ISO 27001 Lead Auditor, page 25 6: ISO 19011:2018 - Guidelines for auditing management systems, clause 6.7

NEW QUESTION # 150
完成第一階段並準備第二階段初步認證審核後，受審核方通知審核小組負責人，他們希望擴大審核範圍，以包括該組織最近收購的另外兩個場所。
考慮到這些訊息，您希望審計小組負責人採取什麼行動？

• A. 安排使用視訊會議平台完成兩個站點的遠端第一階段審核
• B. 取得附加網站的資訊以通知認證機構
• C. 增加第 2 階段審核的長度以包含額外的站點
• D. 通知審核方可以接受請求，但必須重複完整的第一階段審核

Answer: B

Explanation:
According to ISO/IEC 17021-1, which specifies the requirements for bodies providing audit and certification of management systems, a certification body should establish criteria for determining audit time and audit team composition based on factors such as the scope of certification, size and complexity of the organization, risks associated with its activities, etc2. Therefore, if an auditee requests to extend the audit scope to include two additional sites after completing Stage 1 of an initial certification audit, the audit team leader should obtain information about the additional sites to inform the certification body, so that they can review and approve the change in scope and adjust the audit time and audit team accordingly2. The other options are not appropriate actions for the audit team leader to take in this situation. For example, increasing the length of the Stage 2 audit to include the extra sites without informing the certification body may violate their procedures and policies; arranging to complete a remote Stage 1 audit of the two sites using a video conferencing platform may not be feasible or effective depending on the nature and location of the sites; and informing the auditee that the request can be accepted but a full Stage 1 audit must be repeated may not be necessary or reasonable if there are no significant changes in the auditee's ISMS since Stage 12. References: ISO/IEC
17021-1:2015 - Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements

NEW QUESTION # 151
您正在國際物流組織的出貨部門進行資訊安全管理系統審核，該組織為當地醫院和政府辦公室等大型組織提供運輸服務。
包裹通常包含藥品、生物樣本以及護照和駕駛執照等文件。
您注意到公司記錄顯示大量退貨，原因包括標籤地址錯誤，以及在 15% 的情況下，一個包裹的不同地址有兩個或多個標籤。您正在面試運輸經理 (SM)。
您：出貨前檢查過嗎？
SM：任何明顯損壞的物品都會在出貨前由值班人員移除，但利潤微薄，因此實施正式檢查流程並不經濟。
您：退貨後會採取什麼措施？
SM：這些合約大多價值相對較低，因此我們認為，簡單地重新列印標籤並重新發送單一包裹比實施調查更容易、更方便。
您提出了不符合 ISO 27001:2022 第 8.1 條的要求。
以下哪一項最能描述您發現的不合格項？

• A. 組織沒有有效的流程來確保滿足資料保護的服務要求和監管要求。記錄顯示，15% 的退回包裹向收件人洩露了供另一方使用的資訊（可能包括敏感的醫療資訊或政府部門通訊資訊），而沒有足夠的操作控制來滿足資訊安全要求。
• B. 組織沒有有效的流程來確保滿足資料保護的服務要求和監管要求。記錄顯示，15% 的退回包裹包含向收件人另一方提供的詳細資訊（可能包括敏感的醫療資訊或政府部門通訊資訊），但沒有足夠的操作程序來滿足資訊安全要求。
• C. 組織沒有有效的流程來確保滿足資料保護的服務要求和監管要求。記錄顯示，15% 的退回包裹包含受保護的資訊（可能包括敏感的醫療資訊或政府部門通訊資訊），但沒有足夠的操作流程來滿足資訊安全要求。
• D. 組織沒有適當的審核流程來確保滿足資料保護的服務要求和監管要求。記錄顯示，15% 的退回包裹中包含不準確的資訊（可能包括敏感的醫療資訊或政府部門通訊資訊），且沒有足夠的操作規則來滿足資訊安全要求。
• E. 組織沒有經過批准的流程來確保滿足資料保護的服務要求和監管要求。記錄顯示，15%的退回包裹已更正了收件人的另一方資訊（可能包括敏感的醫療資訊或政府部門通訊資訊），但沒有足夠的操作方法來滿足資訊安全要求。

Answer: A

Explanation:
The non-conformity you have identified relates to the organization's failure to implement adequate operational controls to ensure that service and regulatory requirements for data protection are met. This situation is particularly critical given the nature of the items being shipped, which include sensitive medical information and government documents. The fact that 15% of returned parcels have labels for different addresses, potentially exposing sensitive information to incorrect recipients, underscores the lack of effective information security practices.
The best description of the non-conformity, based on the details provided and the requirements of ISO/IEC
27001:2022, particularly clause 8.1 which deals with operational planning and control, would be:
C: The organisation does not have an effective process in place that ensures service requirements and regulatory requirements for data protection are met. Records show that 15% of returned parcels have disclosed information intended for another party to the recipient (which may include sensitive medical information or government department communications) without adequate operational controls to meet information security requirements.
This option accurately captures the essence of the non-conformity by highlighting the lack of effective operational controls to protect sensitive information, leading to potential unauthorized disclosure of information intended for another party. This is a direct violation of information security management principles, particularly those related to the protection of confidentiality and integrity of information as mandated by ISO/IEC 27001:2022.

NEW QUESTION # 152
當審核團隊的另一位成員向您尋求澄清時，您正在進行第三方監督審核。他們被要求評估組織對控制 5.7 - 威脅情報的應用。他們知道這是 2022 年版 ISO/IEC 中引入的新控制措施之一
27001，他們希望確保正確審核控制。
他們準備了一份清單來協助他們進行審核，並希望您確認他們計劃的活動符合控制要求。
下列哪三個選項代表有效的審計追蹤？

• A. 我將確保組織的風險評估流程從有效的威脅情報開始
• B. 我將檢查是否積極使用威脅情報來保護組織資訊資產的機密性、完整性和可用性
• C. 我將檢視組織的威脅情報流程，並確保對此進行完整記錄
• D. 我將確保將產生威脅情報的任務分配給組織的內部稽核團隊
• E. 我將確保採取適當措施，向最高管理階層通報目前威脅情報安排的有效性
• F. 我將與高階主管交談，以確保所有員工都意識到報告威脅的重要性
• G. 我將回顧如何收集和評估與資訊安全威脅相關的資訊以產生威脅情報
• H. 我將確定在威脅情報的生成中是否使用內部和外部資訊來源

Answer: B,C,H

Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), control 5.7 requires an organization to establish and maintain a threat intelligence process to identify and evaluate information security threats that are relevant to its ISMS scope and objectives1. The organization should use internal and external sources of information, such as vulnerability databases, threat feeds, industry reports, etc., to produce threat intelligence that can be used to support risk assessment and treatment, as well as other information security activities1. Therefore, when auditing the organization's application of control 5.7, an ISMS auditor should verify that these aspects are met in accordance with the audit criteria.
Three options that represent valid audit trails for verifying control 5.7 are:
* I will review the organisation's threat intelligence process and will ensure that this is fully documented:
This option is valid because it can provide evidence of how the organization has established and maintained a threat intelligence process that is consistent with its ISMS scope and objectives. It can also verify that the process is documented according to clause 7.5 of ISO/IEC 27001:20221.
* I will check that threat intelligence is actively used to protect the confidentiality, integrity and availability of the organisation's information assets: This option is valid because it can provide evidence of how the organization has used threat intelligence to support its risk assessment and treatment, as well as other information security activities, such as incident response, awareness, or monitoring. It can also verify that the organization has achieved its information security objectives according to clause 6.2 of ISO/IEC 27001:20221.
* I will determine whether internal and external sources of information are used in the production of threat intelligence: This option is valid because it can provide evidence of how the organization has used various sources of information, such as vulnerability databases, threat feeds, industry reports, etc., to produce threat intelligence that is relevant and reliable. It can also verify that the organization has complied with the requirement of control 5.7 of ISO/IEC 27001:20221.
The other options are not valid audit trails for verifying control 5.7, as they are not related to the control or its requirements. For example:
* I will speak to top management to make sure all staff are aware of the importance of reporting threats:
This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding information security awareness or communication, but not specifically to control 5.7.
* I will ensure that the task of producing threat intelligence is assigned to the organisation s internal audit team: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also contradict the requirement for auditor independence and objectivity, as recommended by ISO 19011:20182, which provides guidelines for auditing management systems.
* I will ensure that the organisation's risk assessment process begins with effective threat intelligence:
This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also imply a prescriptive approach to risk assessment that is not consistent with ISO/IEC 27005:
20183, which provides guidelines for information security risk management.
* I will review how information relating to information security threats is collected and evaluated to produce threat intelligence: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may also be too vague or broad to be an effective audit trail, as it does not specify what criteria or methods are used for collecting and evaluating information.
* I will ensure that appropriate measures have been introduced to inform top management as to the effectiveness of current threat intelligence arrangements: This option is not valid because it does not provide evidence of how the organization has established and maintained a threat intelligence process or used threat intelligence to support its ISMS activities. It may be related to another control or requirement regarding management review or performance evaluation, but not specifically to control
5.7.
References: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, ISO 19011:2018 - Guidelines for auditing management systems, ISO
/IEC 27005:2018 - Information technology - Security techniques - Information security risk management

NEW QUESTION # 153
您工作的資料中心目前正在尋求 ISO/IEC27001:2022 認證。在為您的初次認證訪問做準備時，您集團內另一個資料中心的同事已進行了多次內部審核。他們在今年稍早獲得了 ISO/IEC 27001:2022 證書。
您剛剛獲得內部 ISMS 審核員資格，您的經理要求您在外部認證機構到達之前審查審核流程和審核結果，作為最終檢查。
以下哪六項會讓您擔心是否符合 ISO/IEC 27001:2022 要求？

• A. 審核計畫未引用審核方法或審核職責
• B. 根據審核計劃，在認證訪問之前不會審核高階主管對 ISMS 的承諾
• C. 審核計畫未考慮資訊安全流程的相對重要性
• D. 審計流程規定審計結果將提供給「相關」經理，而不是最高管理階層
• E. 審核計畫顯示年內不定期進行管理審核
• F. 審計報告不以硬拷貝形式（即紙本形式）保存。它們僅作為「.POF 文件」儲存在組織的 Intranet 上
• G. 審核程序不考慮先前審核的結果
• H. 審核計畫要求審核員必須獨立於他們審核的領域，以滿足 ISO/IEC 27001:2022 的要求
• I. 迄今為止的審計報告已使用關鍵績效指標資訊來僅關注 ISMS 流程的效率
• J. 雖然已定義每次內部審核的範圍，但尚未為迄今為止進行的審核定義審核標準

Answer: B,C,E,G,I,J

Explanation:
According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 9.3 requires top management to review the organization's ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness1. Clause 9.2 requires the organization to conduct internal audits at planned intervals to provide information on whether the ISMS conforms to its own requirements and those of ISO/IEC 27001:2022, and is effectively implemented and maintained1. Therefore, when reviewing the audit process and audit findings as a final check before the external certification body arrives, an internal ISMS auditor should verify that these clauses are met in accordance with the audit criteria.
Six of the following statements would cause concern in respect of conformity to ISO/IEC 27001:2022 requirements:
* The audit programme shows management reviews taking place at irregular intervals during the year:
This statement would cause concern because it implies that the organization is not conducting management reviews at planned intervals, as required by clause 9.3. This may affect the ability of top management to ensure the continuing suitability, adequacy and effectiveness of the ISMS.
* The audit programme does not take into account the relative importance of information security processes: This statement would cause concern because it implies that the organization is not applying a risk-based approach to determine the audit frequency, methods, scope and criteria, as recommended by ISO 19011:2018, which provides guidelines for auditing management systems2. This may affect the ability of the organization to identify and address the most significant risks and opportunities for its ISMS.
* Although the scope for each internal audit has been defined, there are no audit criteria defined for the audits carried out to date: This statement would cause concern because it implies that the organization is not establishing audit criteria for each internal audit, as required by clause 9.2. Audit criteria are the set of policies, procedures or requirements used as a reference against which audit evidence is compared2.
Without audit criteria, it is not possible to determine whether the ISMS conforms to its own requirements and those of ISO/IEC 27001:2022.
* Audit reports to date have used key performance indicator information to focus solely on the efficiency of ISMS processes: This statement would cause concern because it implies that the organization is not evaluating the effectiveness of ISMS processes, as required by clause 9.1. Effectiveness is the extent to which planned activities are realized and planned results achieved2. Efficiency is the relationship between the result achieved and the resources used2. Both aspects are important for measuring and evaluating ISMS performance and improvement.
* The audit programme does not take into account the results of previous audits: This statement would cause concern because it implies that the organization is not using the results of previous audits as an input for planning and conducting subsequent audits, as recommended by ISO 19011:20182. This may affect the ability of the organization to identify and address any recurring or unresolved issues or nonconformities related to its ISMS.
* Top management commitment to the ISMS will not be audited before the certification visit, according to the audit programme: This statement would cause concern because it implies that the organization is not verifying that top management demonstrates leadership and commitment with respect to its ISMS, as required by clause 5.1. This may affect the ability of top management to ensure that the ISMS policy and objectives are established and compatible with the strategic direction of the organization; that roles, responsibilities and authorities for relevant roles are assigned and communicated; that resources needed for the ISMS are available; that communication about information security matters is established; that continual improvement of the ISMS is promoted; that other relevant management reviews are aligned with those of information security; and that support is provided to other relevant roles1.
The other statements would not cause concern in respect of conformity to ISO/IEC 27001:2022 requirements:
* Audit reports are not held in hardcopy (i.e. on paper). They are only stored as ".POF documents on the organisation's intranet: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific format or media for documenting or storing audit reports, as long as they are controlled according to clause 7.5.
* The audit programme mandates auditors must be independent of the areas they audit in order to satisfy the requirements of ISO/IEC 27001:2022: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for auditor independence, as long as the audit is conducted objectively and impartially, in accordance with ISO 19011:20182.
* The audit programme does not reference audit methods or audit responsibilities: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for referencing audit methods or audit responsibilities in the audit programme, as long as they are defined and documented according to ISO 19011:20182.
* The audit process states the results of audits will be made available to 'relevant' managers, not top management: This statement would not cause concern because it does not imply any nonconformity with ISO/IEC 27001:2022 requirements. The standard does not prescribe any specific requirement for communicating the results of audits to top management, as long as they are reported to the relevant parties and used as an input for management review, according to clause 9.3.
References: ISO/IEC 27001:2022 - Information technology - Security techniques - Information security management systems - Requirements, ISO 19011:2018 - Guidelines for auditing management systems

NEW QUESTION # 154
您是經驗豐富的 ISMS 審核團隊領導，指導審核員進行培訓。您透過詢問她一系列問題來測試她對後續審核的理解，這些問題的答案是“正確*或”
'錯誤的'。以下哪四個問題的答案應該是正確的”'

• A. 後續審核的結果應報告給最高管理階層和對最初發現不合格項進行審核的審核組組長
• B. 如果不合格情況嚴重，可能會進行後續審核
• C. 後續審核的結果可以將重大不符合項降低為輕微不符合項
• D. 只有在發現重大不合格情況時才需要進行後續審核
• E. 後續審核的結果可能是暫停客戶認證的建議
• F. 在所有已發現不合格情況的情況下都需要進行後續審核
• G. 後續審核的結果應報告給管理審核計畫的個人和審核客戶
• H. 如果不合格情況輕微，可能會進行後續審核

Answer: A,B,G,H

Explanation:
* A follow-up audit may be carried out where nonconformities are major. This is true because a major nonconformity is a situation that raises significant doubt about the ability of the organization's management system to achieve its intended results, and therefore requires immediate corrective action. A follow-up audit is necessary to verify the effectiveness of the corrective action and the conformity of the management system12.
* A follow-up audit may be carried out where nonconformities are minor. This is true because a minor nonconformity is a situation that does not affect the capability of the management system to achieve its intended results, but represents a deviation from the specified requirements. A follow-up audit may be conducted to check the implementation of the corrective action and the improvement of the management system12.
* The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified. This is true because the top management is responsible for ensuring the effectiveness and continual improvement of the management system, and the audit team leader is accountable for the audit process and the audit conclusions. The follow-up audit report should provide them with objective evidence of the status of the nonconformities and the corrective actions taken by the auditee13.
* The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client. This is true because the individual managing the audit programme is responsible for planning, implementing, monitoring and reviewing the audit activities, and the audit client is the organization or person requesting an audit. The follow-up audit report should inform them of the results of the follow-up audit and any changes in the certification status of the auditee13.
References :=
* ISO 19011:2022 Guidelines for auditing management systems
* ISO/IEC 27001:2022 Information technology - Security techniques - Information security management systems - Requirements
* ISO/IEC 17021-1:2022 Conformity assessment - Requirements for bodies providing audit and certification of management systems - Part 1: Requirements

NEW QUESTION # 155
下列哪兩項敘述是正確的？

• A. ISMS 的目的在於應用風險管理流程來維護資訊安全
• B. 認證 ISMS 的好處是獲得政府機構的合同
• C. ISMS 的目的在於證明符合監管要求
• D. 實施 ISMS 的好處主要來自於資訊安全風險的降低

Answer: A,D

Explanation:
The benefits of implementing an ISMS are not limited to a reduction in information security risks, but also include improved business performance, customer satisfaction, legal compliance, and stakeholder confidence.
The benefit of certifying an ISMS is not only to obtain contracts from governmental institutions, but also to demonstrate the organisation's commitment to information security to other potential customers, partners, and regulators. The purpose of an ISMS is to apply a risk management process for preserving information security, which means identifying, analysing, evaluating, treating, monitoring, and reviewing the information security risks that the organisation faces. The purpose of an ISMS is not to demonstrate compliance with regulatory requirements, but rather to ensure that the organisation meets its own information security objectives and obligations.
References:
* ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) objectives and content from Quality.org and PECB
* ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems - Requirements [Section 0.1] and [Section 1]

NEW QUESTION # 156
OrgXY 是一​​家經過 ISO/IEC 27001 認證的軟體開發公司。在獲得認證一年後，OrgXY 的高階主管通知認證機構，該公司尚未準備好進行監督審核。在這種情況下會發生什麼？

• A. OrgXY 將其註冊轉移給另一個認證機構
• B. 認證已暫停
• C. 目前認證一直使用到下次監督審核

Answer: B

Explanation:
If an organization like OrgXY informs the certification body that it is not ready to conduct the surveillance audit as scheduled, the certification may be suspended. This is because the surveillance audit is a critical part of the ongoing certification maintenance, required to ensure continued compliance with the standard.
References: PECB ISO/IEC 27001 Lead Auditor Course Material; ISO/IEC 27001:2013, general guidelines on certification and surveillance requirements

NEW QUESTION # 157
誰可以存取高度機密的文件？

• A. 有業務需要了解的員工
• B. 有業務須知的承包商
• C. 簽署 NDA 的員工有業務須知
• D. 指定具有核准存取權限並已簽署 NDA 的非員工

Answer: A

Explanation:
According to ISO/IEC 27001:2022, clause 8.2.1, the organization shall ensure that access to information and information processing facilities is limited to authorized users based on the access control policy and in accordance with the business requirements of access control2. Therefore, only employees with a business need-to-know are allowed to access highly confidential files, and not contractors, non-employees or employees with signed NDA. References: ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) | CQI | IRCA

NEW QUESTION # 158
您是經驗豐富的 ISMS 審核團隊負責人，目前正在使用 ISO/IEC 27001:2022 作為標準對新客戶進行第三方初始認證審核。
這是為期兩天的審核的第二天下午，您正要開始撰寫審核報告。
到目前為止，尚未發現任何不合格情況，您和您的團隊對該網站和組織的 ISMS 印象深刻。
此時，您團隊的一名成員找到您並告訴您，她無法完成對領導力和承諾的評估，因為她花了太長時間審查變革計劃。
針對此訊息，您將採取下列哪一項行動？

• A. 鑑於沒有發現任何不合格項，並且組織的整體印象良好，請在審核報告中記錄積極的認證建議。
• B. 聯絡您的總部並等待他們進一步指示如何進行。
• C. 聯絡管理審核計劃的個人並尋求他們的許可，以在審核報告中記錄積極的建議。
• D. 告知受審核方需要​​終止並重新安排認證審核。
• E. 向客戶道歉，並告訴他們您稍後會回來檢查領導力和承諾。
• F. 審查審核計劃和客戶可用性，以確定團隊中的其他成員是否有機會在末次會議之前接手此任務。
• G. 建議客戶，如果他們準備將您的回程航班升級為頭等艙，您將在明天的空閒時間審核領導力和承諾。
• H. 告知受審核方和審核客戶目前無法提出積極建議。

Answer: H

Explanation:
Leadership and commitment is a key requirement of ISO/IEC 27001:2022, as it establishes the top management's role and responsibility in establishing, implementing, maintaining, and continually improving the ISMS. Without assessing this aspect, the audit team cannot conclude that the ISMS is effective and conforms to the standard. Therefore, the audit team leader should advise the auditee and audit client that it is not possible to make a positive recommendation at this point, and explain the reason and the implications. The audit team leader should also consult with the certification body and the audit programme manager on the next steps, such as extending the audit duration, conducting a follow-up audit, or issuing a conditional certification, depending on the certification body's policy and the audit client's agreement. References: =
* ISO/IEC 27001:2022, clause 5, Leadership
* PECB Candidate Handbook ISO 27001 Lead Auditor, page 19, Audit Process
* PECB Candidate Handbook ISO 27001 Lead Auditor, page 22, Audit Report
* PECB Candidate Handbook ISO 27001 Lead Auditor, page 23, Audit Conclusion and Recommendation

NEW QUESTION # 159
......

Verified ISO-IEC-27001-Lead-Auditor-CN Exam Dumps Q&As - Provide ISO-IEC-27001-Lead-Auditor-CN with Correct Answers: https://braindumps2go.dumpexam.com/ISO-IEC-27001-Lead-Auditor-CN-valid-torrent.html