
PECB ISO-IEC-27035-Lead-Incident-Manager認定試験問題集には80練習テスト問題があります
最新ISO-IEC-27035-Lead-Incident-Manager試験問題集には高得点で一発合格
質問 # 48
What is the purpose of incident categorization within the incident management lifecycle?
- A. To automatically assign incidents to technicians
- B. To determine the priority of incidents
- C. To sort incidents based on the disrupted IT or business domain
正解:C
解説:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016, incident categorization is a vital step in the incident management lifecycle. Its primary purpose is to sort and group incidents based on specific criteria so that appropriate actions and escalation paths can be taken.
One of the core objectives of categorization is to sort incidents by the domain or system affected - whether it' s a database, email system, network, or physical server. This enables organizations to assign incidents to relevant subject matter experts and apply the right procedures, based on the affected business function or IT component.
While categorization can influence prioritization (option A), the main intent is classification based on nature and domain. Automatic technician assignment (option B) may be supported by some service management platforms but is not the foundational purpose of incident categorization under ISO 27035.
Reference Extracts:
ISO/IEC 27035-1:2016, Clause 6.1.2 - "Categorization should identify the domain or component affected to enable appropriate response and escalation." ISO/IEC 27035-2:2016, Clause 7.3 - "Incidents should be categorized based on the type of disruption they cause and the business or technical domain they impact." Therefore, the correct answer is C: To sort incidents based on the disrupted IT or business domain.
-
質問 # 49
During the 'detect and report' phase of incident management at TechFlow, the incident response team began collecting detailed threat intelligence and conducting vulnerability assessments related to these login attempts.
Additionally, the incident response team classified a series of unusual login attempts as a potential security incident and distributed initial reports to the incident coordinator. Is this approach correct?
- A. No, because collecting detailed information about threats and vulnerabilities should occur in later phases
- B. No, because information security incidents cannot yet be classified as information security incidents in this phase
- C. Yes, because classifying events as information security incidents is essential during this phase
正解:C
解説:
Comprehensive and Detailed Explanation From Exact Extract:
The 'detect and report' phase, as defined in ISO/IEC 27035-1:2016 (Clause 6.2), includes the identification, classification, and initial reporting of information security events. If events meet certain thresholds-such as multiple failed login attempts from unknown IP addresses or matching threat indicators-they can and should be classified as potential incidents.
It is also appropriate to begin collecting supporting information during this phase. Gathering threat intelligence and performing basic vulnerability assessments help in confirming the scope and nature of the threat, allowing faster escalation and response.
Option B is incorrect because while deep forensic collection occurs later, preliminary data collection should begin during detection. Option C is incorrect as incident classification is explicitly allowed and encouraged in this phase.
Reference:
ISO/IEC 27035-1:2016, Clause 6.2.2: "Events should be assessed and classified to determine whether they qualify as information security incidents." Clause 6.2.3: "All relevant details should be collected to support early classification and reporting." Correct answer: A
質問 # 50
What can documenting recovery options and associated data loss/recovery timeframes assist with during incident response?
- A. Making informed decisions about containment and recovery
- B. Accelerating the incident response process
- C. Minimizing the impact on system performance
正解:A
解説:
Comprehensive and Detailed Explanation From Exact Extract:
Documenting recovery options and estimating recovery time objectives (RTOs) and data loss tolerances (Recovery Point Objectives - RPOs) is a crucial planning activity that supports decision-making during the containment and recovery phases. ISO/IEC 27035-2:2016, Clause 6.4.6 emphasizes that such documentation allows teams to:
Evaluate trade-offs between containment scope and data loss
Determine acceptable downtime for critical services
Select the most appropriate recovery strategy based on business impact
This documentation supports strategic thinking rather than rushed action, reducing the likelihood of costly decisions. It does not necessarily accelerate the process (Option C), nor is it designed to optimize performance (Option A).
Reference:
ISO/IEC 27035-2:2016, Clause 6.4.6: "Recovery planning should consider documented recovery procedures, acceptable data loss, and system downtime to support business continuity." Correct answer: B
質問 # 51
What is the primary function of a single type of IRT?
- A. Monitoring targets from remote locations
- B. Managing incidents within a specified organization
- C. Enhancing the reliability of incident response activities
正解:B
解説:
Comprehensive and Detailed Explanation From Exact Extract:
A single-type Incident Response Team (IRT), as defined in ISO/IEC 27035-1:2016, is responsible for managing and coordinating incident response within a specific organization or business unit. Its scope typically covers the entire lifecycle of incident handling-preparation, detection, containment, response, recovery, and lessons learned-focused solely on the needs of that particular entity.
This contrasts with a coordinating or multi-party IRT, which may support multiple organizations or coordinate between units. While Option A is a byproduct of a well-functioning IRT, it is not its core function.
Option B (monitoring) may fall under a SOC, but not the primary function of a single IRT.
Reference Extracts:
ISO/IEC 27035-1:2016, Clause 6.5.1: "An organization may establish a single IRT responsible for handling all incidents affecting the organization." ISO/IEC 27035-2:2016, Clause 6.2.3: "Single IRTs typically manage incidents internally and directly support the organization's response processes." Correct answer: C
-
質問 # 52
What role does the incident coordinator play during the response phase?
- A. Coordinating the activities of IRTs and monitoring response time
- B. Initiating the response actions immediately
- C. Assessing if the event is a potential or confirmed security incident
正解:A
解説:
Comprehensive and Detailed Explanation From Exact Extract:
The incident coordinator plays a vital managerial and operational role in guiding and synchronizing the efforts of Incident Response Teams (IRTs). ISO/IEC 27035-2:2016, Clause 7.2.2 describes the role as one that involves coordination of resources, communication, and oversight to ensure that all phases of the response are executed according to procedure and within acceptable timelines.
Responsibilities include:
Assigning roles and responsibilities
Overseeing containment, eradication, and recovery efforts
Communicating with stakeholders
Tracking incident metrics and resolution progress
Initiating the response (Option B) is typically a decision taken collectively or by senior management or the IMT after classification. Assessing the nature of an event (Option C) falls under the detection and classification phase, not the coordinator's primary role during response.
Reference:
ISO/IEC 27035-2:2016, Clause 7.2.2: "The incident coordinator is responsible for leading and coordinating the incident response process, ensuring timely and efficient execution." Correct answer: A
-
質問 # 53
Scenario 8: Moneda Vivo, headquartered in Kuala Lumpur. Malaysia, is a distinguished name in the banking sector. It is renowned for its innovative approach to digital banking and unwavering commitment to information security. Moneda Vivo stands out by offering various banking services designed to meet the needs of its clients. Central to its operations is an information security incident management process that adheres to the recommendations of ISO/IEC 27035-1 and 27035-2.
Recently. Moneda Vivo experienced a phishing attack aimed at its employees Despite the bank's swift identification and containment of the attack, the incident led to temporary service outages and data access issues, underscoring the need for improved resilience The response team compiled a detailed review of the attack, offering valuable insights into the techniques and entry points used and identifying areas for enhancing their preparedness.
Shortly after the attack, the bank strengthened its defense by implementing a continuous review process to ensure its incident management procedures and systems remain effective and appropriate While monitoring the incident management process, a trend became apparent. The mean time between similar incidents decreased after a few occurrences; however, Moneda Vivo strategically ignored the trend and continued with regular operations This decision was rooted in a deep confidence in its existing security measures and incident management protocols, which had proven effective in quick detection and resolution of issues Moneda Vivo's commitment to transparency and continual improvement is exemplified by its utilization of a comprehensive dashboard. This tool provides real time insights into the progress of its information security incident management, helping control operational activities and ensure that processes stay within the targets of productivity, quality, and efficiency. However, securing its digital banking platform proved challenging.
Following a recent upgrade, which included a user interface change to its digital banking platform and a software update, Moneda Vivo recognized the need to immediately review its incident management process for accuracy and completeness. The top management postponed the review due to financial and time constraints.
According to scenario 8, which reporting dashboard did Moneda Vivo use?
- A. Operational
- B. Strategic
- C. Tactical
正解:A
解説:
Comprehensive and Detailed Explanation From Exact Extract:
The scenario mentions that Moneda Vivo uses a dashboard that offers "real-time insights into the progress of its information security incident management, helping control operational activities and ensure that processes stay within the targets of productivity, quality, and efficiency." These characteristics are aligned with an operational dashboard. According to ISO/IEC 27035-2 and related best practices, operational dashboards track day-to-day activities, monitor KPIs related to incident management, and help frontline teams manage incidents in real time.
Strategic dashboards (Option A) are used by executives for long-term decision-making, while tactical dashboards (Option C) are used for mid-term planning and departmental coordination.
Reference:
ISO/IEC 27035-2:2016, Clause 7.4.6: "Dashboards can support monitoring of incident management activities at operational and tactical levels." Correct answer: B
-
質問 # 54
Scenario 3: L&K Associates is a graphic design firm headquartered in Johannesburg, South Africa. It specializes in providing innovative and creative design solutions to clients across various industries. With offices in multiple parts of the country, they effectively serve clients, delivering design solutions that meet their unique needs and preferences.
In its commitment to maintaining information security, L&K Associates is implementing an information security incident management process guided by ISO/IEC 27035-1 and ISO/IEC 27035-2. Leona, the designated leader overseeing the implementation of the incident management process, customized the scope of incident management to align with the organization's unique requirements. This involved specifying the IT systems, services, and personnel involved in the incident management process while excluding potential incident sources beyond those directly related to IT systems and services.
Based on scenario 3, did Leona follow all the ISO/IEC 27035-1 guidelines when communicating the information security incident management policy to interested parties?
- A. No, she should also communicate how often the information security incident policies are updated and revised
- B. No, she should also communicate the incident reporting procedures and specify the appropriate contact for further information
- C. Yes, she effectively communicated the outcomes of incidents and strategies to minimize recurrence, meeting the necessary communication requirements
正解:B
解説:
Comprehensive and Detailed Explanation:
According to ISO/IEC 27035-1:2016, effective communication of the incident management policy must include not only policy content, roles, and responsibilities but also specific procedural aspects-such as how to report an incident and who to contact. This ensures that all stakeholders clearly understand their responsibilities in the event of an incident and know how to respond.
In the scenario, Leona communicated the outcomes of incidents, mitigation strategies, personnel obligations, and policy content. However, she did not include the incident reporting procedures or contact points, which are essential components of incident communication as per ISO guidelines.
Reference:
ISO/IEC 27035-1:2016, Clause 6.1: "Communication of the incident management policy should include reporting channels, escalation contacts, and policy revision frequency." Therefore, the correct answer is B.
-
質問 # 55
Why is it important to identify all impacted hosts during the eradication phase?
- A. To optimize hardware performance
- B. To enhance overall security
- C. To facilitate recovery efforts
正解:C
解説:
Comprehensive and Detailed Explanation From Exact Extract:
During the eradication phase of the information security incident management process, identifying all impacted hosts is essential to ensure that every element affected by the incident is addressed before proceeding to recovery. According to ISO/IEC 27035-2:2016, Clause 6.4.5, the eradication phase involves removing malware, disabling unauthorized access, and remediating vulnerabilities that led to the incident.
Identifying all impacted hosts ensures:
Comprehensive removal of malicious artifacts
Prevention of reinfection or further propagation
A smooth and complete transition into the recovery phase
This directly supports recovery planning because it helps teams understand which systems need to be restored, rebuilt, or validated. Option B (optimizing hardware performance) is not a goal of incident management, and Option C (enhancing overall security) is a long-term objective but not the immediate goal of the eradication phase.
Reference:
ISO/IEC 27035-2:2016, Clause 6.4.5: "During eradication, it is important to identify all affected systems so that root causes and malicious components are removed prior to recovery." Correct answer: A
-
質問 # 56
What is one of the requirements for an organization's technical means in supporting information security?
- A. Immediate deletion of all incident reports for security purposes
- B. Quick acquisition of information security event/incident/vulnerability reports
- C. Public disclosure of contact register details for transparency
正解:B
解説:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27035-2:2016, one of the technical requirements to support effective incident management is the capability to rapidly detect, collect, and process information about security events, incidents, and vulnerabilities. Timely acquisition of this data allows the organization to assess threats, determine the scope of incidents, and execute response measures quickly.
Clause 7.4.1 emphasizes the need for adequate tools and infrastructure to support the detection and acquisition of information security events and vulnerability reports. The collected data becomes the foundation for risk assessment, root cause analysis, and corrective action planning.
Option A (public disclosure of contact details) might be relevant for CERT/CSIRT public coordination but is not a core requirement in technical incident response. Option B (immediate deletion of reports) is contrary to best practices, as incident reports are critical for audits, compliance, and continuous improvement.
Reference Extracts:
ISO/IEC 27035-2:2016, Clause 7.4.1: "Organizations should ensure that technical means are in place to allow quick acquisition and analysis of information related to events, incidents, and vulnerabilities." Correct answer: C
-
質問 # 57
When does the information security incident management plan come into effect?
- A. When a new security policy is drafted
- B. When a security vulnerability is reported
- C. After a security audit is completed
正解:B
解説:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27035-1 and 27035-2, the incident management plan is activated upon the detection or reporting of a security event, particularly when a vulnerability, threat, or compromise has been identified. The plan ensures structured response and accountability from the very first signs of a potential incident.
Clause 6.4.2 in ISO/IEC 27035-2 explains that incident response activities-including logging, categorization, assessment, and escalation-should begin as soon as a security incident or vulnerability is reported. This proactive trigger allows early containment and mitigation.
Security audits and policy drafts (Options A and B) are part of preventive or governance mechanisms, not operational triggers for activating the plan.
Reference Extracts:
ISO/IEC 27035-2:2016, Clause 6.4.2: "The incident management plan should be activated once a security incident or significant vulnerability is identified and reported." Clause 5.1: "Detection and reporting are the initial steps in triggering the formal incident management lifecycle." Correct answer: C
質問 # 58
Scenario 3: L&K Associates is a graphic design firm headquartered in Johannesburg, South Africa. It specializes in providing innovative and creative design solutions to clients across various industries. With offices in multiple parts of the country, they effectively serve clients, delivering design solutions that meet their unique needs and preferences.
In its commitment to maintaining information security, L&K Associates is implementing an information security incident management process guided by ISO/IEC 27035-1 and ISO/IEC 27035-2. Leona, the designated leader overseeing the implementation of the incident management process, customized the scope of incident management to align with the organization's unique requirements. This involved specifying the IT systems, services, and personnel involved in the incident management process while excluding potential incident sources beyond those directly related to IT systems and services.
In scenario 3, which of the following risk identification approaches was used by L&K Associates?
- A. Event-based approach
- B. Both A and B
- C. Asset-based approach
正解:B
解説:
Comprehensive and Detailed Explanation From Exact Extract:
L&K Associates employed two distinct approaches as described in ISO/IEC 27005:2018 and referenced in ISO/IEC 27035-2:
Strategic scenario identification, which involves analyzing sources of risk and their impact on stakeholders and objectives. This is aligned with the event-based approach, which focuses on risk sources and events that may lead to incidents.
Operational scenario identification, which involves a thorough assessment of assets, threats, and vulnerabilities - aligning with the asset-based approach, where the focus is on critical assets and the threats that may exploit their weaknesses.
ISO/IEC 27005:2018, Clause 8.2.2, identifies multiple methods for risk identification, including:
Asset-based approach
Event-based (or threat-based) approach
Vulnerability-centered approach
In this scenario, both the asset- and event-based methods were clearly applied by Leona, which is encouraged in ISO risk management practices to provide a holistic view of risk.
Therefore, the correct answer is C: Both A and B.
質問 # 59
Scenario 4: ORingo is a company based in Krakow, Poland, specializing in developing and distributing electronic products for health monitoring and heart rate measurement applications. With a strong emphasis on innovation and technological advancement, ORingo has established itself as a trusted provider of high-quality, reliable devices that enhance the well being and healthcare capabilities of individuals and healthcare professionals alike.
As part of its commitment to maintaining the highest standards of information security, ORingo has established an information security incident management process This process aims to ensure that any potential threats are swiftly identified, assessed, and addressed to protect systems and information. However, despite these measures, an incident response team member at ORingo recently detected a suspicious state in their systems operational data, leading to the decision to shut down the company-wide system until the anomaly could be thoroughly investigated Upon detecting the threat, the company promptly established an incident response team to respond to the incident effectively. The team's responsibilities encompassed identifying root causes, uncovering hidden vulnerabilities, and implementing timely resolutions to mitigate the impact of the incident on ORingo's operations and customer trust.
In response to the threat detected across its cloud environments. ORingo employed a sophisticated security tool that broadened the scope of incident detection and mitigation This tool covers network traffic, doud environments, and potential attack vectors beyond traditional endpoints, enabling ORingo to proactively defend against evolving cybersecurity threats During a routine check, the IT manager at ORingo discovered that multiple employees lacked awareness of proper procedures following the detection of a phishing email. In response, immediate training sessions on information security policies and incident response were scheduled for all employees, emphasizing the importance of vigilance and adherence to established protocols in safeguarding ORingo's sensitive data and assets.
As part of the training initiative. ORingo conducted a simulated phishing attack exercise to assess employee response and knowledge. However, an employee inadvertently informed an external partner about the 'attack'' during the exercise, highlighting the importance of ongoing education and reinforcement of security awareness principles within the organization.
Through its proactive approach to incident management and commitment to fostering a culture of security awareness and readiness. ORingo reaffirms its dedication to safeguarding the integrity and confidentiality of its electronic products and ensuring the trust and confidence of its customers and stakeholders worldwide.
Based on scenario 4, are the responsibilities of the incident response team (IRT) established according to the ISO/IEC 27035-2 guidelines?
- A. No, the responsibilities of IRT also include assessing events and declaring incidents
- B. Yes, IRT's responsibilities include identifying root causes, discovering hidden vulnerabilities, and resolving incidents quickly to minimize their impact
- C. No, the responsibilities of IRT do not include resolving incidents
正解:A
解説:
Comprehensive and Detailed Explanation:
ISO/IEC 27035-2:2016 outlines comprehensive responsibilities for an incident response team, which include not just response and mitigation but also:
Assessing and classifying reported events
Determining if they qualify as incidents
Coordinating containment, eradication, and recovery actions
Conducting root cause analysis and lessons learned
While the scenario highlights the team's strengths in root cause analysis and resolution, it omits one key responsibility: the proper assessment and classification of the anomaly before response. This makes option C the most accurate.
Reference:
ISO/IEC 27035-2:2016, Clause 5.2.2 - "The IRT should assess events, determine whether they are incidents, and take appropriate actions." Therefore, the correct answer is C.
-
質問 # 60
Scenario 7: Located in central London, Konzolo has become a standout innovator in the cryptocurrency field.
By introducing its unique cryptocurrency, Konzolo has contributed to the variety of digital currencies and prioritized enhancing the security and reliability of its offerings.
Konzolo aimed to enhance its systems but faced challenges in monitoring the security of its own and third- party systems. These issues became especially evident during an incident that caused several hours of server downtime This downtime was primarily caused by a third-party service provider that failed to uphold strong security measures, allowing unauthorized access.
In response to this critical situation, Konzolo strengthened its information security infrastructure. The company initiated a comprehensive vulnerability scan of its cryptographic wallet software, a cornerstone of its digital currency offerings The scan revealed a critical vulnerability due to the software using outdated encryption algorithms that are susceptible to decryption by modern methods that posed a significant risk of asset exposure Noah, the IT manager, played a central role in this discovery With careful attention to detail, he documented the vulnerability and communicated the findings to the incident response team and management.
Acknowledging the need for expertise in navigating the complexities of information security incident management. Konzolo welcomed Paulina to the team. After addressing the vulnerability and updating the cryptographic algorithms, they recognized the importance of conducting a thorough investigation to prevent future vulnerabilities. This marked the stage for Paulina s crucial involvement. She performed a detailed forensic analysis of the incident, employing automated and manual methods during the collection phase. Her analysis provided crucial insights into the security breach, enabling Konzolo to understand the depth of the vulnerability and the actions required to mitigate it.
Paulina also played a crucial role in the reporting phase, as her comprehensive approach extended beyond analysis. By defining clear and actionable steps for future prevention and response, she contributed significantly to developing a resilient information security incident management system based on ISO/IEC
27035-1 and 27035-2 guidelines. This strategic initiative marked a significant milestone in Konzolo's quest to strengthen its defenses against cyber threats Referring to scenario 7, Konzolo conducted a forensic analysis after all systems had been fully restored and normal operations resumed. Is this recommended?
- A. Yes, they should conduct it after all systems have been fully restored and normal operations have resumed
- B. No, they should have conducted it before responding to the incident to understand its cause
- C. No, they should have conducted it concurrently with the response to preserve evidence
正解:C
解説:
Comprehensive and Detailed Explanation From Exact Extract:
Forensic analysis is most effective when conducted during or immediately following the detection and containment phases-before recovery processes begin-so that critical evidence is preserved. ISO/IEC 27035-
2:2016, Clause 6.4.2 emphasizes the importance of conducting evidence collection early in the incident lifecycle to maintain integrity and avoid contamination.
Performing forensic analysis after systems are restored risks overwriting or losing crucial data such as logs, memory states, and malicious artifacts. Therefore, Paulina should have conducted the analysis concurrently with or directly after containment, not post-recovery.
Reference:
* ISO/IEC 27035-2:2016, Clause 6.4.2: "Evidence collection should begin as early as possible during incident detection and containment to preserve forensic integrity."
* ISO/IEC 27043:2015 (Digital Forensics), Clause 7.2.1: "Evidence should be collected prior to recovery to maintain chain of custody and ensure integrity." Correct answer: A
-
質問 # 61
Based on ISO/IEC 27035-2, which of the following is an example of evaluation activities used to evaluate the effectiveness of the incident management team?
- A. Evaluating the capabilities and services once they become operational
- B. Conducting information security testing, particularly vulnerability assessment
- C. Analyzing the lessons learned once an information security incident has been handled and closed
正解:C
解説:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-2:2016 Clause 7.4.3 emphasizes the role of lessons learned reviews as key evaluation activities for assessing the performance of incident response teams. This activity involves post-incident debriefs to evaluate what went right or wrong and how response processes or team functions could improve.
While options A and C are related to broader security or deployment procedures, Option B directly reflects a formal evaluation mechanism used to gauge incident team effectiveness.
Reference:
ISO/IEC 27035-2:2016 Clause 7.4.3: "Lessons learned should be documented and used to evaluate the effectiveness of the incident management process." Correct answer: B
-
質問 # 62
Which factor of change should be monitored when maintaining incident management documentation?
- A. Market trends
- B. Employee attendance records
- C. Test results
正解:C
解説:
Comprehensive and Detailed Explanation From Exact Extract:
When maintaining documentation for information security incident management, test results are critical indicators of how well current plans and controls are functioning. According to ISO/IEC 27035-2:2016 Clause 7.3.3, organizations must update documents based on test outcomes, incident experiences, or environmental changes.
Market trends (Option A) and attendance records (Option B) are not directly relevant to the content or accuracy of incident documentation.
Reference:
ISO/IEC 27035-2:2016 Clause 7.3.3: "Changes in the environment or test results should be used as input for reviewing documentation." Correct answer: C
-
質問 # 63
......
PECB ISO-IEC-27035-Lead-Incident-Manager 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
| トピック 5 |
|
無料提供中ISO-IEC-27035-Lead-Incident-Managerブレーン問題集とISO-IEC-27035-Lead-Incident-Managerリアル試験問題を試そう:https://www.passtest.jp/PECB/ISO-IEC-27035-Lead-Incident-Manager-shiken.html
PECB ISO-IEC-27035-Lead-Incident-Manager実際の問題とブレーン問題集:https://drive.google.com/open?id=1lnFIC4Ys5epp1CEAcJmXEkvmUQ0B2m5c