
[2024年06月] 更新されたのはPECB ISO-IEC-27001-Lead-Implementer問題集PDFオンラインエンジン
ISO-IEC-27001-Lead-Implementer.PDFで問題解答PDFサンプル問題は信頼され続ける
質問 # 33
Kyte. a company that has an online shopping website, has added a Q&A section to its website; however, its Customer Service Department almost never provides answers to users' questions. Which principle of an effective communication strategy has Kyte not followed?
- A. Clarity
- B. Appropriateness
- C. Responsiveness
正解:B
解説:
A demilitarized zone (DMZ) is a network segment that separates the internal network from the external network, such as the internet. A DMZ is designed to provide a layer of protection for the internal network by limiting the exposure of publicly accessible resources and services to potential attackers. A DMZ is an example of a preventive control, which is a type of security control that aims to prevent or deter cyberattacks from occurring in the first place. Preventive controls reduce the likelihood of a successful attack by implementing safeguards and countermeasures that make it more difficult or costly for an attacker to exploit vulnerabilities or bypass security mechanisms. Other examples of preventive controls include encryption, authentication, access control, firewalls, antivirus software, and security awareness training. (From the PECB ISO/IEC 27001 Lead Implementer Course Manual, page 83) References:
* PECB ISO/IEC 27001 Lead Implementer Course Manual, page 83
* PECB ISO/IEC 27001 Lead Implementer Info Kit, page 7
質問 # 34
Based on scenario 6. when should Colin deliver the next training and awareness session?
- A. After he conducts a competence needs analysis and records the competence related issues
- B. After he ensures that the group of employees targeted have satisfied the organization's needs
- C. After he determines the employees' availability and motivation
正解:A
質問 # 35
Scenario 1: HealthGenic is a pediatric clinic that monitors the health and growth of individuals from infancy to early adulthood using a web-based medical software. The software is also used to schedule appointments, create customized medical reports, store patients' data and medical history, and communicate with all the
[^involved parties, including parents, other physicians, and the medical laboratory staff.
Last month, HealthGenic experienced a number of service interruptions due to the increased number of users accessing the software Another issue the company faced while using the software was the complicated user interface, which the untrained personnel found challenging to use.
The top management of HealthGenic immediately informed the company that had developed the software about the issue. The software company fixed the issue; however, in the process of doing so, it modified some files that comprised sensitive information related to HealthGenic's patients. The modifications that were made resulted in incomplete and incorrect medical reports and, more importantly, invaded the patients' privacy.
In scenario 1, HealthGenic experienced a number of service interruptions due to the loss of functionality of the software. Which principle of information security has been affected in this case?
- A. Confidentiality
- B. Integrity
- C. Availability
正解:C
解説:
Availability of information is the property of being accessible and usable upon demand by an authorized entity. In other words, availability ensures that the information and the systems that support it are always ready for use when needed. In the scenario, the availability of information was affected when HealthGenic experienced a number of service interruptions due to the increased number of users accessing the software.
This means that the software was not able to handle the demand and provide the required functionality to the users. Therefore, the correct answer is A.
References: ISO/IEC 27001:2013, Information technology - Security techniques - Information security management systems - Requirements, clause 3.13.
質問 # 36
Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information.
Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.
Which statement below suggests that Beauty has implemented a managerial control that helps avoid the occurrence of incidents? Refer to scenario 2.
- A. Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information
- B. Beauty updated the segregation of duties chart
- C. Beauty's employees signed a confidentiality agreement
正解:A
質問 # 37
The certification body rejected NetworkFuse's request to change the audit team leader. Is this acceptable?
Refer to scenario 10.
- A. No, auditee's requests for the replacement of auditors must be accepted
- B. No, because an auditee cannot request the rejection of an audit team member
- C. Yes, because NetworkFuse did not give a valid reason to support their claims
正解:C
質問 # 38
'The ISMS covers all departments within Company XYZ that have access to customers' data. The purpose of the ISMS is to ensure the confidentiality, integrity, and availability of customers' data, and ensure compliance with the applicable regulatory requirements regarding information security." What does this statement
^"describe?
- A. The information systems boundary of the ISMS scope
- B. The organizational boundaries of the ISMS scope
- C. The physical boundary of the ISMS scope
正解:B
解説:
Explanation
The statement describes the organizational boundaries of the ISMS scope, which define which parts of the organization are included or excluded from the ISMS. The organizational boundaries can be based on criteria such as departments, functions, processes, activities, or locations. In this case, the statement specifies that the ISMS covers all departments within Company XYZ that have access to customers' data, and excludes the ones that do not. The statement also explains the purpose of the ISMS, which is to ensure the confidentiality, integrity, and availability of customers' data, and ensure compliance with the applicable regulatory requirements regarding information security.
The statement does not describe the information systems boundary of the ISMS scope, which defines which information systems are included or excluded from the ISMS. The information systems boundary can be based on criteria such as hardware, software, networks, databases, or applications. The statement does not mention any specific information systems that are covered by the ISMS.
The statement also does not describe the physical boundary of the ISMS scope, which defines which physical locations are included or excluded from the ISMS. The physical boundary can be based on criteria such as buildings, rooms, cabinets, or devices. The statement does not mention any specific physical locations that are covered by the ISMS.
References:
ISO/IEC 27001:2013, clause 4.3: Determining the scope of the information security management system ISO/IEC 27001 Lead Implementer Course, Module 4: Planning the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 6: Implementing the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 7: Performance evaluation, monitoring and measurement of the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 8: Continual improvement of the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 9: Preparing for the ISMS certification audit ISO/IEC 27001 scope statement | How to set the scope of your ISMS - Advisera1 How to Write an ISO 27001 Scope Statement (+3 Examples) - Compleye2 How To Use an Information Flow Map to Determine Scope of Your ISMS3 ISMS SCOPE DOCUMENT - Resolver4 Define the Scope and Objectives - ISMS Info5
質問 # 39
Scenario 5: Operaze is a small software development company that develops applications for various companies around the world. Recently, the company conducted a risk assessment to assess the information security risks that could arise from operating in a digital landscape. Using different testing methods, including penetration Resting and code review, the company identified some issues in its ICT systems, including improper user permissions, misconfigured security settings, and insecure network configurations. To resolve these issues and enhance information security, Operaze decided to implement an information security management system (ISMS) based on ISO/IEC 27001.
Considering that Operaze is a small company, the entire IT team was involved in the ISMS implementation project. Initially, the company analyzed the business requirements and the internal and external environment, identified its key processes and activities, and identified and analyzed the interested parties In addition, the top management of Operaze decided to Include most of the company's departments within the ISMS scope. The defined scope included the organizational and physical boundaries. The IT team drafted an information security policy and communicated it to all relevant interested parties In addition, other specific policies were developed to elaborate on security issues and the roles and responsibilities were assigned to all interested parties.
Following that, the HR manager claimed that the paperwork created by ISMS does not justify its value and the implementation of the ISMS should be canceled However, the top management determined that this claim was invalid and organized an awareness session to explain the benefits of the ISMS to all interested parties.
Operaze decided to migrate Its physical servers to their virtual servers on third-party infrastructure. The new cloud computing solution brought additional changes to the company Operaze's top management, on the other hand, aimed to not only implement an effective ISMS but also ensure the smooth running of the ISMS operations. In this situation, Operaze's top management concluded that the services of external experts were required to implement their information security strategies. The IT team, on the other hand, decided to initiate a change in the ISMS scope and implemented the required modifications to the processes of the company.
Based on scenario 5. after migrating to cloud. Operaze's IT team changed the ISMS scope and implemented all the required modifications Is this acceptable?
- A. No, because the company has already defined the ISMS scope
- B. No, because any change in ISMS scope should be accepted by the management
- C. Yes, because the ISMS scope should be changed when there are changes to the external environment
正解:B
解説:
Explanation
According to ISO/IEC 27001:2022, clause 4.3, the organization shall determine the scope of the ISMS by considering the internal and external issues, the requirements of interested parties, and the interfaces and dependencies with other organizations. The scope shall be available as documented information and shall state what is included and what is excluded from the ISMS. The scope shall be reviewed and updated as necessary, and any changes shall be approved by the top management. Therefore, it is not acceptable for the IT team to change the ISMS scope and implement the required modifications without the approval of the management.
References: ISO/IEC 27001:2022, clause 4.3; PECB ISO/IEC 27001 Lead Implementer Course, Module 4, slide 10.
質問 # 40
Based on scenario 10. NetworkFuse did not conduct a self-evaluation of the ISMS before the audit. Is this compliant to ISO/IEC 27001?
- A. No, the auditee must review the requirements of clauses 4 to 10 before the conduct of a certification audit
- B. Yes, the standard does not require to conduct a self-evaluation before the audit but it is a good practice to follow
- C. Yes, the standard indicates that the auditee shall rely only on internal audit and management review reports to prepare for the certification audit
正解:A
質問 # 41
Who should be involved, among others, in the draft, review, and validation of information security procedures?
- A. An external expert
- B. The information security committee
- C. The employees in charge of ISMS operation
正解:B
質問 # 42
An organization has adopted a new authentication method to ensure secure access to sensitive areas and facilities of the company. It requires every employee to use a two-factor authentication (password and QR code). This control has been documented, standardized, and communicated to all employees, however its use has been "left to individual initiative, and it is likely that failures can be detected. Which level of maturity does this control refer to?
- A. Defined
- B. Quantitatively managed
- C. Optimized
正解:A
解説:
According to the ISO/IEC 27001:2022 Lead Implementer objectives and content, the maturity levels of information security controls are based on the ISO/IEC 15504standard, which defines five levels of process capability: incomplete, performed, managed, established, and optimized1. Each level has a set of attributes that describe the characteristics of the process at that level. The level of defined corresponds to the attribute of process performance, which means that the process achieves its expected outcomes2. In this case, the control of two-factor authentication has been documented, standardized, and communicated, which implies that it has a clear purpose and expected outcomes. However, the control is not consistently implemented, monitored, or measured, which means that it does not meet the attributes of the higher levels of managed, established, or optimized. Therefore, the control is at the level of defined, which is the second level of maturity.
References:
* 1: ISO/IEC 27001:2022 Lead Implementer Course Brochure, page 5
* 2: ISO/IEC 27001:2022 Lead Implementer Course Presentation, slide 25
質問 # 43
Scenario 1: HealthGenic is a pediatric clinic that monitors the health and growth of individuals from infancy to early adulthood using a web-based medical software. The software is also used to schedule appointments, create customized medical reports, store patients' data and medical history, and communicate with all the
[^involved parties, including parents, other physicians, and the medical laboratory staff.
Last month, HealthGenic experienced a number of service interruptions due to the increased number of users accessing the software Another issue the company faced while using the software was the complicated user interface, which the untrained personnel found challenging to use.
The top management of HealthGenic immediately informed the company that had developed the software about the issue. The software company fixed the issue; however, in the process of doing so, it modified some files that comprised sensitive information related to HealthGenic's patients. The modifications that were made resulted in incomplete and incorrect medical reports and, more importantly, invaded the patients' privacy.
Based on the scenario above, answer the following question:
Which of the following indicates that the confidentiality of information was compromised?
- A. Modification of patients' medical reports
- B. Invasion of patients' privacy
- C. Service interruptions due to the increased number of users
正解:B
質問 # 44
Scenario 2: Beauty is a cosmetics company that has recently switched to an e-commerce model, leaving the traditional retail. The top management has decided to build their own custom platform in-house and outsource the payment process to an external provider operating online payments systems that support online money transfers.
Due to this transformation of the business model, a number of security controls were implemented based on the identified threats and vulnerabilities associated to critical assets. To protect customers' information.
Beauty's employees had to sign a confidentiality agreement. In addition, the company reviewed all user access rights so that only authorized personnel can have access to sensitive files and drafted a new segregation of duties chart.
However, the transition was difficult for the IT team, who had to deal with a security incident not long after transitioning to the e commerce model. After investigating the incident, the team concluded that due to the out-of-date anti-malware software, an attacker gamed access to their files and exposed customers' information, including their names and home addresses.
The IT team decided to stop using the old anti-malware software and install a new one which would automatically remove malicious code in case of similar incidents. The new software was installed in every workstation within the company. After installing the new software, the team updated it with the latest malware definitions and enabled the automatic update feature to keep it up to date at all times. Additionally, they established an authentication process that requires a user identification and password when accessing sensitive information.
In addition, Beauty conducted a number of information security awareness sessions for the IT team and other employees that have access to confidential information in order to raise awareness on the importance of system and network security.
Based on scenario 2, which information security principle is the IT team aiming to ensure by establishing a user authentication process that requires user identification and password when accessing sensitive information?
- A. Availability
- B. Integrity
- C. Confidentiality
正解:C
解説:
Confidentiality is one of the three information security principles, along with integrity and availability, that form the CIA triad. Confidentiality means protecting information from unauthorized access or disclosure, and ensuring that only those who are authorized to view or use it can do so. Confidentiality is essential for preserving the privacy and trust of the information owners, such as customers, employees, or business partners.
The IT team of Beauty is aiming to ensure confidentiality by establishing a user authentication process that requires user identification and password when accessing sensitive information. User authentication is a security control that verifies the identity and credentials of the users who attempt to access a system or network, and grants or denies them access based on their authorization level. User authentication helps to prevent unauthorized users, such as hackers, competitors, or malicious insiders, from accessing confidential information that they are not supposed to see or use. User authentication also helps to create an audit trail that records who accessed what information and when, which can be useful for accountability and compliance purposes.
References:
* ISO/IEC 27001:2022 Lead Implementer Course Guide1
* ISO/IEC 27001:2022 Lead Implementer Info Kit2
* ISO/IEC 27001:2022 Information Security Management Systems - Requirements3
* ISO/IEC 27002:2022 Code of Practice for Information Security Controls
* What is Information Security | Policy, Principles & Threats | Imperva1
* What is information security? Definition, principles, and jobs2
* What is Information Security? Principles, Types - KnowledgeHut3
質問 # 45
What should TradeB do in order to deal with residual risks? Refer to scenario 4.
- A. TradeB should immediately implement new controls to treat all residual risks
- B. TradeB should accept the residual risks only above the acceptance level
- C. TradeB should evaluate, calculate, and document the value of risk reduction following risk treatment
正解:C
質問 # 46
Scenario 6: Skyver offers worldwide shipping of electronic products, including gaming consoles, flat-screen TVs. computers, and printers. In order to ensure information security, the company has decided to implement an information security management system (ISMS) based on the requirements of ISO/IEC 27001.
Colin, the company's best information security expert, decided to hold a training and awareness session for the personnel of the company regarding the information security challenges and other information security-related controls. The session included topics such as Skyver's information security approaches and techniques for mitigating phishing and malware.
One of the participants in the session is Lisa, who works in the HR Department. Although Colin explains the existing Skyver's information security policies and procedures in an honest and fair manner, she finds some of the issues being discussed too technical and does not fully understand the session. Therefore, in a lot of cases, she requests additional help from the trainer and her colleagues What is the difference between training and awareness? Refer to scenario 6.
- A. Training helps transfer a message with the intent of informing, whereas awareness helps change the behavior toward the message
- B. Training helps acquire a skill, whereas awareness helps apply it in practice
- C. Training helps acquire certain skills, whereas awareness develops certain habits and behaviors.
正解:C
解説:
Explanation
According to ISO/IEC 27001, training and awareness are two different but complementary activities that aim to enhance the information security competence and performance of the organization's personnel. Training is the process of providing instruction and guidance to help individuals acquire certain skills, knowledge, or abilities related to information security. Awareness is the process of raising the level of consciousness and understanding of the importance and benefits of information security, and developing certain habits and behaviors that support the information security objectives and requirements.
In scenario 6, Colin is holding a training and awareness session for the personnel of Skyver, which means he is combining both activities to achieve a more effective and comprehensive information security education. The training part of the session covers topics such as Skyver's information security policies and procedures, and techniques for mitigating phishing and malware. The awareness part of the session covers topics such as Skyver's information security approaches and challenges, and the benefits of information security for the organization and its customers. The purpose of the session is to help the personnel acquire the necessary skills to perform their information security roles and responsibilities, and to develop the appropriate habits and behaviors to protect the information assets of the organization.
References:
ISO/IEC 27001:2013, clause 7.2.2: Information security awareness, education and training ISO/IEC 27001 Lead Implementer Course, Module 6: Implementing the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 7: Performance evaluation, monitoring and measurement of the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 8: Continual improvement of the ISMS based on ISO/IEC 27001 ISO/IEC 27001 Lead Implementer Course, Module 9: Preparing for the ISMS certification audit ISO 27001 Security Awareness Training and Compliance - InfosecTrain1 ISO/IEC 27001 compliance and cybersecurity awareness training2 ISO 27001 Free Training | Online Course | British Assessment Bureau
質問 # 47
A small organization that is implementing an ISMS based on ISO/lEC 27001 has decided to outsource the internal audit function to a third party. Is this acceptable?
- A. Yes, outsourcing the internal audit function to a third party is often a better option for small organizations to demonstrate independence and impartiality
- B. No, the organizations cannot outsource the internal audit function to a third party because during internal audit, the organization audits its own system
- C. No, the outsourcing of the internal audit function may compromise the independence and impartiality of the internal audit team
正解:A
解説:
Explanation
According to the ISO/IEC 27001:2022 standard, an internal audit is an audit conducted by the organization itself to evaluate the conformity and effectiveness of its information security management system (ISMS). The standard requires that the internal audit should be performed by auditors who are objective and impartial, meaning that they should not have any personal or professional interest or bias that could influence their judgment or compromise their integrity. The standard also allows the organization to outsource the internal audit function to a third party, as long as the criteria of objectivity and impartiality are met.
Outsourcing the internal audit function to a third party can be a better option for small organizations that may not have enough resources, skills, or experience to perform an internal audit by themselves. By hiring an external auditor, the organization can benefit from the following advantages:
The external auditor can provide a fresh and independent perspective on the organization's ISMS, identifying strengths, weaknesses, opportunities, and threats that may not be apparent to the internal staff.
The external auditor can bring in specialized knowledge, expertise, and best practices from other organizations and industries, helping the organization to improve its ISMS and achieve its objectives.
The external auditor can reduce the risk of conflict of interest, bias, or influence that may arise when the internal staff audit their own work or the work of their colleagues.
The external auditor can save the organization time and money by conducting the internal audit more efficiently and effectively, avoiding duplication of work or unnecessary delays.
Therefore, outsourcing the internal audit function to a third party is acceptable and often preferable for small organizations that are implementing an ISMS based on ISO/IEC 27001.
References:
ISO/IEC 27001:2022, Information technology - Security techniques - Information security management systems - Requirements, Clause 9.2, Internal audit ISO/IEC 27007:2023, Information technology - Security techniques - Guidelines for information security management systems auditing PECB, ISO/IEC 27001 Lead Implementer Course, Module 12, Internal audit A Complete Guide to an ISO 27001 Internal Audit - Sprinto
質問 # 48
Scenario 4: TradeB. a commercial bank that has just entered the market, accepts deposits from its clients and offers basic financial services and loans for investments. TradeB has decided to implement an information security management system (ISMS) based on ISO/IEC 27001 Having no experience of a management
[^system implementation, TradeB's top management contracted two experts to direct and manage the ISMS implementation project.
First, the project team analyzed the 93 controls of ISO/IEC 27001 Annex A and listed only the security controls deemed applicable to the company and their objectives Based on this analysis, they drafted the Statement of Applicability. Afterward, they conducted a risk assessment, during which they identified assets, such as hardware, software, and networks, as well as threats and vulnerabilities, assessed potential consequences and likelihood, and determined the level of risks based on three nonnumerical categories (low, medium, and high). They evaluated the risks based on the risk evaluation criteria and decided to treat only the high risk category They also decided to focus primarily on the unauthorized use of administrator rights and system interruptions due to several hardware failures by establishing a new version of the access control policy, implementing controls to manage and control user access, and implementing a control for ICT readiness for business continuity Lastly, they drafted a risk assessment report, in which they wrote that if after the implementation of these security controls the level of risk is below the acceptable level, the risks will be accepted Which of the actions presented in scenario 4 is NOT compliant with the requirements of ISO/IEC 27001?
- A. The Statement of Applicability was drafted before conducting the risk assessment
- B. The external experts selected security controls and drafted the Statement of Applicability
- C. TradeB selected only ISO/IEC 27001 controls deemed applicable to the company
正解:A
解説:
Explanation
According to ISO/IEC 27001:2022, clause 6.1.3, the Statement of Applicability (SoA) is a document that identifies the controls that are applicable to the organization's ISMS and explains why they are selected or not.
The SoA is based on the results of the risk assessment and risk treatment, which are the previous steps in the risk management process. Therefore, the SoA should be drafted after conducting the risk assessment, not before. Drafting the SoA before the risk assessment may lead to inappropriate or incomplete selection of controls, as the organization may not have a clear understanding of its information security risks and their impact.
References: ISO/IEC 27001:2022, clause 6.1.3; PECB ISO/IEC 27001 Lead Implementer Course, Module 5, slide 18.
質問 # 49
Based on scenario 3. which information security control of Annex A of ISO/IEC 27001 did Socket Inc.
implement by establishing a new system to maintain, collect, and analyze information related to information security threats?
- A. Annex A 5.5 Contact with authorities
- B. Annex A 5 7 Threat Intelligence
- C. Annex A 5.13 Labeling of information
正解:B
質問 # 50
Based on scenario 5. after migrating to cloud. Operaze's IT team changed the ISMS scope and implemented all the required modifications Is this acceptable?
- A. No, because the company has already defined the ISMS scope
- B. No, because any change in ISMS scope should be accepted by the management
- C. Yes, because the ISMS scope should be changed when there are changes to the external environment
正解:B
質問 # 51
Scenario 10: NetworkFuse develops, manufactures, and sells network hardware. The company has had an operational information security management system (ISMS) based on ISO/IEC 27001 requirements and a quality management system (QMS) based on ISO 9001 for approximately two years. Recently, it has applied for a j^ombined certification audit in order to obtain certification against ISO/IEC 27001 and ISO 9001.
After selecting the certification body, NetworkFuse prepared the employees for the audit The company decided to not conduct a self-evaluation before the audit since, according to the top management, it was not necessary. In addition, it ensured the availability of documented information, including internal audit reports and management reviews, technologies in place, and the general operations of the ISMS and the QMS.
However, the company requested from the certification body that the documentation could not be carried off-site However, the audit was not performed within the scheduled days because NetworkFuse rejected the audit team leader assigned and requested their replacement The company asserted that the same audit team leader issued a recommendation for certification to its main competitor, which, for the company's top management, was a potential conflict of interest. The request was not accepted by the certification body Based on the scenario above, answer the following question:
Does NetworkFuse fulfill the prerequisites for a certification audit?
- A. Yes, because the ISMS must be operational for at least one year prior to the certification audit
- B. Yes, because the certification body has been selected
- C. Yes, because internal audits and management reviews have been performed
正解:C
質問 # 52
......
PECB ISO-IEC-27001-Lead-Implementer問題集PDFのベストを目指すなら問題集を使おう 目指そう高得点:https://jp.fast2test.com/ISO-IEC-27001-Lead-Implementer-premium-file.html
ISO 27001 ISO-IEC-27001-Lead-Implementer試験と認定テストエンジン:https://drive.google.com/open?id=1EVrd9Lt658zNZXoh3K6Qvlbb--9aY2Gq