ISO Beingcert ISO/IEC 20000 Lead Implementer 認定 ISOIEC20000LI 試験問題:

1. An organization has implemented a control that enables the company to manage storage media through their life cycle of use. acquisition, transportation and disposal. Which control category does this control belong to?

A) Organizational
B) Physical
C) Technological

2. Scenario 7: InfoSec is a multinational corporation headquartered in Boston, MA, which provides professional electronics, gaming, and entertainment services. After facing numerous information security incidents, InfoSec has decided to establish teams and implement measures to prevent potential incidents in the future Emma, Bob. and Anna were hired as the new members of InfoSec's information security team, which consists of a security architecture team, an incident response team (IRT) and a forensics team Emma's job is to create information security plans, policies, protocols, and training to prepare InfoSec to respond to incidents effectively Emma and Bob would be full-time employees of InfoSec, whereas Anna was contracted as an external consultant.
Bob, a network expert, will deploy a screened subnet network architecture This architecture will isolate the demilitarized zone (OMZ) to which hosted public services are attached and InfoSec's publicly accessible resources from their private network Thus, InfoSec will be able to block potential attackers from causing unwanted events inside the company's network. Bob is also responsible for ensuring that a thorough evaluation of the nature of an unexpected event is conducted, including the details on how the event happened and what or whom it might affect.
Anna will create records of the data, reviews, analysis, and reports in order to keep evidence for the purpose of disciplinary and legal action, and use them to prevent future incidents. To do the work accordingly, she should be aware of the company's information security incident management policy beforehand Among others, this policy specifies the type of records to be created, the place where they should be kept, and the format and content that specific record types should have.
Why did InfoSec establish an IRT? Refer to scenario 7.

A) To comply with the ISO/IEC 27001 requirements related to incident management
B) To collect, preserve, and analyze the information security incidents
C) To assess, respond to, and learn from information security incidents

3. What action should UX Software take to mitigate residual risks? Refer to scenario 4.

A) UX Software should evaluate, calculate, and document the value of risk reduction following risk treatment
B) UX Software should accept the residual risks only above the acceptance level
C) UX Software should immediately implement new controls to treat all residual risks

4. Scenario 7: InfoSec is a multinational corporation headquartered in Boston, MA, which provides professional electronics, gaming, and entertainment services. After facing numerous information security incidents, InfoSec has decided to establish teams and implement measures to prevent potential incidents in the future Emma, Bob. and Anna were hired as the new members of InfoSec's information security team, which consists of a security architecture team, an incident response team (IRT) and a forensics team Emma's job is to create information security plans, policies, protocols, and training to prepare InfoSec to respond to incidents effectively Emma and Bob would be full-time employees of InfoSec, whereas Anna was contracted as an external consultant.
Bob, a network expert, will deploy a screened subnet network architecture This architecture will isolate the demilitarized zone (OMZ) to which hosted public services are attached and InfoSec's publicly accessible resources from their private network Thus, InfoSec will be able to block potential attackers from causing unwanted events inside the company's network. Bob is also responsible for ensuring that a thorough evaluation of the nature of an unexpected event is conducted, including the details on how the event happened and what or whom it might affect.
Anna will create records of the data, reviews, analysis, and reports in order to keep evidence for the purpose of disciplinary and legal action, and use them to prevent future incidents. To do the work accordingly, she should be aware of the company's information security incident management policy beforehand Among others, this policy specifies the type of records to be created, the place where they should be kept, and the format and content that specific record types should have.
Based on scenario 7. InfoSec contracted Anna as an external consultant. Based on her tasks, is this action compliant with ISO/IEC 27001°

A) Yes, forensic investigation may be conducted internally or by using external consultants
B) Yes, organizations must use external consultants for forensic investigation, as required by the standard
C) No, the skills of incident response or forensic analysis shall be developed internally

5. A small organization that is implementing an ISMS based on ISO/lEC 27001 has decided to outsource the internal audit function to a third party. Is this acceptable?

A) No, the outsourcing of the internal audit function may compromise the independence and impartiality of the internal audit team
B) No, the organizations cannot outsource the internal audit function to a third party because during internal audit, the organization audits its own system
C) Yes, outsourcing the internal audit function to a third party is often a better option for small organizations to demonstrate independence and impartiality

質問と回答：