According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 5.2 requires top management to establish an information security policy that provides the framework for setting information security objectives1. Clause 6.2 requires top management to ensure that the information security objectives are established at relevant functions and levels1. Therefore, when verifying that the information security policy and objectives have been established by top management, an ISMS auditor should review relevant documents and records that demonstrate top management's involvement and commitment. To verify that the mobile device policy and objectives are implemented and effective, an ISMS auditor should review relevant documents and records that demonstrate how the policy and objectives are communicated, monitored, measured, analyzed, and evaluated. The auditor should also sample and verify the implementation of the controls that are stated in the policy. Three options for the audit trail that are relevant to verifying the mobile device policy and objectives are: Review the internal audit report to make sure the IT department has been audited: This option is relevant because it can provide evidence of how the IT department, which is responsible for managing the mobile devices and their security, has been evaluated for its conformity and effectiveness in implementing the mobile device policy and objectives. The internal audit report can also reveal any nonconformities, corrective actions, or opportunities for improvement related to the mobile device policy and objectives. Sampling some mobile devices from on-duty medical staff and validate the mobile device information with the asset register: This option is relevant because it can provide evidence of how the mobile devices that are used by the medical staff, who are involved in processing and storing residents' data, are registered in the asset register and have physical protection enabled. This can verify the implementation and effectiveness of two of the controls that are stated in the mobile device policy. Review the asset register to make sure all company's mobile devices are registered: This option is relevant because it can provide evidence of how the company's mobile devices that are within the ISMS scope are identified and accounted for. This can verify the implementation and effectiveness of one of the controls that are stated in the mobile device policy. The other options for the audit trail are not relevant to verifying the mobile device policy and objectives, as they are not related to the policy or objectives or their implementation or effectiveness. For example: Interview the reception personnel to make sure all visitor and employee bags are checked before entering the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding physical security or access control, but not specifically to mobile devices. Review visitors' register book to make sure no visitor can have their personal mobile phone in the nursing home: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security awareness or compliance, but not specifically to mobile devices. Interview the supplier of the devices to make sure they are aware of the ISMS policy: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to another policy or objective regarding information security within supplier relationships, but not specifically to mobile devices. Interview top management to verify their involvement in establishing the information security policy and the information security objectives: This option is not relevant because it does not provide evidence of how the mobile device policy and objectives are implemented or effective. It may be related to verifying that the information security policy and objectives have been established by top management, but not specifically to mobile devices.
Question 167
當 IT 經理找到您並請您協助修改公司的風險管理流程時,您剛完成了組織的預定資訊安全審核。 他正在嘗試更新當前的文檔,以使其他經理更容易理解,但是,從您的討論中可以清楚地看出,他混淆了幾個關鍵術語。 您要求他將每個描述與適當的風險術語相匹配。正確答案應該是什麼?
Correct Answer:
Explanation: The correct answers for matching each of the descriptions with the appropriate risk term are: * The strategy chosen to respond to a specific information security risk: This is a definition of information security risk treatment. According to ISO/IEC 27000:2022, information security risk treatment is "the process of selecting and implementing measures to modify the information security risk" Section 3.33. * The effect of uncertainty on information security objectives: This is a definition of information security risk. According to ISO/IEC 27000:2022, information security risk is "the effect of uncertainty on information security objectives" Section 3.32. * The requirements against which information security risks are evaluated: This is a definition of information security risk criteria. According to ISO/IEC 27000:2022, information security risk criteria are "the terms of reference by which the significance of information security risks is assessed" Section 3.31. * A definition of the overall level of information security risk that is considered to be tolerable: This is a definition of information security risk acceptance criteria. According to ISO/IEC 27000:2022, information security risk acceptance criteria are "the level of information security risk that is acceptable" Section 3.30.
Question 168
問題 下列哪一項不是品質審核文件範本中的必要元素?
Correct Answer: B
The correct answer is Detailed descriptions of all audit findings with corrective actions, because this information is not a required element of a quality review documentation template. Quality review documentation focuses on verifying the adequacy, consistency, and compliance of the audit process itself, not on managing corrective actions. According to ISO/IEC 17021-1 and ISO 19011, quality review records typically include identification of the reviewer and preparer, confirmation that required audit steps were completed, dates of review activities, and confirmation that conclusions are supported by evidence. These elements ensure traceability, accountability, and procedural compliance. Option A is required because identifying both the preparer and reviewer supports independence and accountability in the review process. Option C is also required because recording completion dates provides evidence that reviews were performed at the appropriate stage of the audit process. Option B is incorrect because detailed audit findings and corrective actions belong in audit reports and corrective action tracking systems, not in the quality review template. Including corrective actions in quality review documentation would blur the distinction between audit execution and audit oversight. Therefore, detailed descriptions of audit findings with corrective actions are not a required element of quality review documentation.
One of the advantages of having accredited certification of ISMS to ISO/IEC 27001:2022 is that it demonstrates the recognition of the credibility of the certification process. Accredited certification means that the certification body has been assessed and approved by an accreditation body, which ensures that the certification body operates according to international standards and follows impartiality, competence and consistency principles. Accredited certification also enhances the confidence of the organisation's customers, partners, regulators and other interested parties in the organisation's information security performance and compliance. References: = ISO/IEC 27001:2022, clause 0.2; [PECB Candidate Handbook ISO 27001 Lead Auditor], page 6; Key Benefits of ISO 27001 Certification - IT Governance.
Question 170
為什麼在初次接觸時要考慮重要性?
Correct Answer: B
Materiality should be considered during the initial contact to obtain reasonable assurance that the audit can be successfully completed. Determining materiality helps establish the threshold for the significance of audit findings, ensuring that the audit focuses on substantial issues that could impact the audit conclusions.
