
[2025年12月]に更新されたIsaca Certificaton CRISC試験練習テスト問題集豪華セット!
2025年最新のに更新されたCRISCのPDFはCRISC本日更新のテスト無料最新!
ISACA CRISC(リスクおよび情報システムコントロール認定)試験は、ITおよび情報システムにおけるリスクの識別と管理を担当する専門家を対象とした認定試験です。この認定は、ITリスク管理の分野で世界的に認められ、高く評価されています。試験は、リスクの識別、評価、対応、監視の4つのドメインで候補者の知識と技能をテストするように設計されています。試験は、COBIT 2019、NIST、ISO 31000などの業界のベストプラクティスと標準に基づいています。
CRISC認定資格は、組織のリスク管理を担当するITプロフェッショナルに最適です。これには、ITリスクプロフェッショナル、ITマネージャー、ビジネスアナリスト、コンプライアンスプロフェッショナル、セキュリティプロフェッショナルが含まれます。この認定は、リスク管理の包括的な理解を提供し、プロフェッショナルが組織内のリスクを効果的に管理することを可能にします。試験は難しく、広範な準備が必要ですが、試験に合格することは、ITリスク管理に関する高度な知識と専門知識を証明するものです。全体的に、CRISC認定資格は、ITリスク管理プロフェッショナルの専門的な信頼性を高める貴重な資格です。
質問 # 634
To enable effective risk governance, it is MOST important for senior management to:
- A. Gain a clear understanding of business risk and related ownership.
- B. Communicate the risk management strategy across the organization.
- C. Ensure security policies and procedures are documented.
- D. Ensure the IT governance framework is up to date.
正解:C
質問 # 635
Which of the following is true for risk evaluation?
- A. Risk evaluation is done once a year for every business processes.
- B. Risk evaluation is done annually or when there is significant change.
- C. Risk evaluation is done only when there is significant change.
- D. Risk evaluation is done every four to six months for critical business processes.
正解:B
解説:
Explanation/Reference:
Explanation:
Due to the reason that risk is constantly changing, it is being evaluated annually or when there is significant change. This gives best alternative as it takes into consideration a reasonable time frame of one year, and meanwhile it also addresses significant changes (if any).
Incorrect Answers:
A: Evaluating risk only when there is significant changes do not take into consideration the effect of time.
As the risk is changing constantly, small changes do occur with time that would affect the overall risk.
Hence risk evaluation should be done annually too.
B: Evaluating risk once a year is not sufficient in the case when some significant change takes place. This significant change should be taken into account as it affects the overall risk.
D: Risk evaluation need not to be done every four to six months for critical processes, as it does not addresses important changes in timely manner.
質問 # 636
Which of the following should a risk practitioner do FIRST when an organization decides to use a cloud service?
- A. Check the contract for appropriate security risk and control provisions.
- B. Review the vendor selection process and vetting criteria.
- C. Establish service level agreements (SLAs) with the vendor.
- D. Assess whether use of service falls within risk tolerance thresholds.
正解:B
解説:
According to the CRISC EXAM TOPIC 2 LONG Flashcards, the first thing that a risk practitioner should do when an organization decides to use a cloud service is to review the vendor selection process and vetting criteria. This is because the vendor selection process and vetting criteria are essential steps to ensure that the cloud service provider meets the organization's requirements and expectations, and that the risks associated with the cloud service are identified and managed. By reviewing the vendor selection process and vetting criteria, the risk practitioner can evaluate the quality, reliability, security, and compliance of the cloud service provider, and determine if the cloud service is suitable and beneficial for the organization. The risk practitioner can also identify any gaps or weaknesses in the vendor selection process and vetting criteria, and recommend improvements or alternatives accordingly. References = CRISC EXAM TOPIC 2 LONG Flashcards
質問 # 637
Who should be responsible for determining which stakeholders need to be involved in the development of a risk scenario?
- A. Control owner
- B. Risk practitioner
- C. Risk owner
- D. Compliance manager
正解:B
解説:
The risk practitioner is responsible for determining which stakeholders need to be involved in the development of a risk scenario, as they have the knowledge and skills to facilitate the process and ensure that the relevant perspectives and information are considered. The risk owner, the compliance manager, and the control owner are examples of stakeholders who may participate in the risk scenario development, but they are not responsible for determining who should be involved. References = Risk Scenarios Toolkit, page 9; CRISC Review Manual, 7th Edition, page 101.
質問 # 638
Which of the following data would be used when performing a business impact analysis (BIA)?
- A. Cost of regulatory compliance
- B. Cost-benefit analysis of running the current business
- C. Projected impact of current business on future business
- D. Expected costs for recovering the business
正解:D
質問 # 639
Which of the following is the BEST way to ensure ongoing control effectiveness?
- A. Establishing policies and procedures
- B. Measuring trends in control performance
- C. Obtaining management control attestations
- D. Periodically reviewing control design
正解:D
質問 # 640
Which of the following provides the BEST evidence of the effectiveness of an organization's account provisioning process?
- A. User provisioning
- B. Role-based access controls
- C. Entitlement reviews
- D. Security log monitoring
正解:C
質問 # 641
The MOST important measure of the effectiveness of risk management in project implementation is the percentage of projects:
- A. having the risk register updated regularly.
- B. having key risk indicators (KRIs) established to measure risk.
- C. having an action plan to remediate overdue issues.
- D. introduced into production without high-risk issues.
正解:D
解説:
The percentage of projects introduced into production without high-risk issues is the most important measure of the effectiveness of risk management in project implementation, as it reflects the ability of risk management to ensure that the project deliverables meet the quality, functionality, and security requirements, and do not introduce unacceptable risks to the organization. The percentage of projects having the risk register updated regularly, having key risk indicators (KRIs) established to measure risk, or having an action plan to remediate overdue issues are not the most important measures, as they are more related to the process, performance, or compliance of risk management, rather than the outcome or value of risk management. References = CRISC Review Manual, 7th Edition, page 110.
質問 # 642
Which of the following processes addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget?
- A. Plan risk response
- B. Explanation:
The plan risk response project management process aims to reduce the threats to the project objectives and to increase opportunities. It follows the perform qualitative risk analysis process and perform quantitative risk analysis process. Plan risk response process includes the risk response owner to take the job for each agreed-to and funded risk response. This process addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget. The inputs to the plan risk response process are as follows: Risk register Risk management plan - C. Monitor and Control Risk
- D. is incorrect. Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process. Answer: A is incorrect. Monitor and Control Risk is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk
process effectiveness throughout the project. It can involve choosing alternative strategies,
executing a contingency or fallback plan, taking corrective action, and modifying the project
management plan. - E. Identify Risks
- F. Qualitative Risk Analysis
正解:A
解説:
is incorrect. Qualitative analysis is the definition of risk factors in terms of
high/medium/low or a numeric scale (1 to 10). Hence it determines the nature of risk on a relative
scale.
Some of the qualitative methods of risk analysis are:
Scenario analysis- This is a forward-looking process that can reflect risk for a given point in time.
Risk Control Self -assessment (RCSA) - RCSA is used by enterprises (like banks) for the
identification and evaluation of operational risk exposure. It is a logical first step and assumes that
business owners and managers are closest to the issues and have the most expertise as to the
source of the risk. RCSA is a constructive process in compelling business owners to contemplate,
and then explain, the issues at hand with the added benefit of increasing their accountability.
質問 # 643
Which of the following would BEST help to ensure that suspicious network activity is identified?
- A. Using a third-party monitoring provider
- B. Coordinating events with appropriate agencies
- C. Analyzing server logs
- D. Analyzing intrusion detection system (IDS) logs
正解:A
解説:
Section: Volume D
質問 # 644
A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?
- A. Applying risk appetite
- B. Referencing risk event data
- C. Understanding risk culture
- D. Applying risk factors
正解:C
質問 # 645
Which of the following is the PRIMARY reason for monitoring activities performed in a production database
environment?
- A. Ensuring that database changes are correctly applied
- B. Preventing system developers from accessing production data
- C. Deterring illicit actions of database administrators
- D. Enforcing that changes are authorized
正解:A
解説:
Ensuring that database changes are correctly applied is the primary reason for monitoring activities performed
in a production database environment, as it helps to maintain the integrity, availability, and performance of
the database and the applications that depend on it. Database changes are any modifications made to the
database structure, configuration, data, or code, such as adding or deleting tables, columns, indexes, or
triggers, updating or inserting data, or altering stored procedures or functions. Database changes can have
significant impacts on the database functionality and behavior, and may introduce errors, inconsistencies, or
vulnerabilities if not applied correctly. Therefore, monitoring database changes is essential to verify that the
changes are implemented as intended, comply with the design specifications and standards, and do not cause
any adverse effects or conflicts with the existing database or application components.
The other options are not the primary reasons for monitoring activities performed in a production database
environment. Enforcing that changes are authorized is an important aspect of database change management,
but it is not the main purpose of database monitoring. Database change management is the process of
planning, reviewing, approving, and implementing database changes in a controlled and consistent manner.
Database change management helps to ensure that the changes are authorized by the appropriate stakeholders,
aligned with the business requirements and objectives, and documented and communicated to the relevant
parties. Database monitoring can support database change management by providing information and
feedback on the change implementation and performance, but it does not enforce the change authorization.
Deterring illicit actions of database administrators is a possible benefit of database monitoring, but it is not the
primary reason for it. Database administrators are the users who have the highest level of access and privilege
to the database, and they are responsible for managing and maintaining the database operations and security.
Database monitoring can help to deter illicit actions of database administrators by tracking and auditing their
activities and actions on the database, and alerting or escalating any suspicious or malicious behavior.
However, database monitoring is not the only or the most effective way to prevent or detect illicit actions of
database administrators. Other measures, such as implementing the principle of least privilege, segregating
duties, enforcing password policies, and encrypting data, are also necessary to protect the database from
unauthorized or improper access or manipulation by database administrators or other users. Preventing system
developers from accessing production data is apossible benefit of database monitoring, but it is not the
primary reason for it. System developers are the users who design, develop, and test the applications that
interact with the database. System developers should not have access to the production data, as it may contain
sensitive or confidential information that could be compromised or misused by the developers. System
developers should only use test or dummy data for their development and testing purposes. Database
monitoring can help to prevent system developers from accessing production data by controlling and
restricting their access and privilege to the database, and logging and reporting any unauthorized or
inappropriate access attempts. However, database monitoring is not the only or the most effective way to
prevent system developers from accessing production data. Other measures, such as implementing access
control policies, masking or anonymizing data, and isolating development and production environments, are
also necessary to safeguard the production data from system developers or other users. References = Database
Monitoring: Basics & Introduction | Splunk, IT Risk Resources | ISACA, Best Practices for Database
Performance Monitoring
質問 # 646
The PRIMARY purpose of IT control status reporting is to:
- A. benchmark IT controls with industry standards.
- B. facilitate the comparison of the current and desired states.
- C. ensure compliance with IT governance strategy.
- D. assist internal audit in evaluating and initiating remediation efforts.
正解:B
解説:
Section: Volume D
質問 # 647
Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?
- A. To measure business exposure to risk
- B. To monitor the achievement of set objectives
- C. To identify control vulnerabilities
- D. To raise awareness of operational issues
正解:B
質問 # 648
A key risk indicator (KRI) indicates a reduction in the percentage of appropriately patched servers. Which of the following is the risk practitioner's BEST course of action?
- A. Determine changes in the risk level.
- B. Add agenda item to the next risk committee meeting.
- C. Review the patch management process.
- D. Outsource the vulnerability management process.
正解:A
解説:
A key risk indicator (KRI) is a metric that measures the changes in the level of risk exposure, such as by monitoring the risk drivers, triggers, or events. A KRI indicates a reduction in the percentage of appropriately patched servers means that the enterprise is not applying the latest security updates or fixes to its servers, which could expose them to vulnerabilities or threats. The best course of action for the risk practitioner when a KRI indicates a reduction in the percentage of appropriately patched servers is to determine changes in the risk level. The risk level is the measure of the impact and likelihood of the risk, and it should be consistent and comparable across the enterprise and over time. By determining changes in the risk level, the risk practitioner can assess the current or emerging risks, and decide on the appropriate risk response strategy and actions. The other options are not the best course of action, as they involve different aspects or outcomes of the risk management process:
* Outsource the vulnerability management process means that the enterprise transfers the responsibility or burden of identifying, analyzing, prioritizing, and remediating the vulnerabilities in the IT systems and applications to a third party, such as a vendor or a contractor. This may not be a feasible or effective way to address the risk of unpatched servers, as it may not reduce the exposure or impact of the risk, or may introduce new risks, such as contractual disputes, quality issues, or intellectual property rights.
* Review the patch management process means that the enterprise evaluates the existing procedures and practices for applying the security updates or fixes to the servers, and identifies the gaps or weaknesses that need to be addressed. This may be a useful step in the risk management process, but it is not the best course of action, as it may not provide immediate or sufficient information or action to address the risk of unpatched servers, or may not account for the uncertainties or complexities of the risk.
* Add agenda item to the next risk committee meeting means that the enterprise communicates the risk of unpatched servers to the senior executives who oversee the enterprise-wide risk management program, and provide guidance and direction to the risk owners and practitioners. This may be a helpful step in the risk management process, but it is not the best course of action, as it may not provide timely or adequate information or action to address the risk of unpatched servers, or may not reflect the urgency or priority of the risk. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.3.2.1, pp. 171-172.
質問 # 649
A management team is on an aggressive mission to launch a new product to penetrate new markets and
overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization's risk:
- A. culture.
- B. tolerance.
- C. analysis.
- D. management.
正解:A
解説:
Risk culture is the system of values and behaviors present in an organization that shapes risk decisions of
management and employees1. Risk culture influences how the organization perceives, responds to, and
manages the risks that may affect its objectives, operations, or assets2.
The scenario described in the question best demonstrates an organization's risk culture, because it shows how
the management team's attitude and actions towards risk are driven by the organization's values and goals. In
this case, the organization's risk culture is characterized by:
A high risk appetite and tolerance, which means that the organization is willing to take and accept significant
risks in order to achieve its strategic objectives of launching a new product and penetrating new markets
A low risk awareness and sensitivity, which means that the organization does not pay enough attention or
consideration to the potential IT risk factors, threats, and vulnerabilities that may affect its product
development and market entry
A weak risk governance and control, which means that the organization does not have adequate or effective
policies, procedures, or mechanisms to identify, assess, respond, or monitor the IT risks and their impacts
References = Risk Culture of Companies | ERM - Enterprise Risk Management Initiative ..., Taking control
of organizational risk culture | McKinsey
質問 # 650
Which metric is most useful in assessing the effectiveness of an organization's ability to respond to and manage security incidents?
- A. Number of false positives reported
- B. Number of personnel dedicated to security monitoring
- C. Percentage of systems being monitored
- D. Average time to contain security incidents
正解:D
解説:
The average time to contain security incidents directly reflects how quickly and effectively an organization can respond to cybersecurity threats, which is a critical measure of the program's effectiveness. Other options like percentage of systems monitored or number of personnel indicate resources or scope but do not measure outcome or effectiveness. False positives may indicate detection issues but are less tied to program effectiveness than incident containment time.
質問 # 651
Who is responsible for IT security controls that are outsourced to an external service provider?
- A. Organization's risk function
- B. Organization's information security manager
- C. Service provider's information security manager
- D. Service provider's IT management
正解:B
解説:
The organization's information security manager is responsible for IT security controls that are outsourced to an external service provider. The information security manager is accountable for ensuring that the security policies and standards of the organization are followed by the service provider, and that the security objectives and requirements are met. The information security manager is also responsible for monitoring and evaluating the security performance and compliance of the service provider, and for managing the security risks and incidents that may arise from the outsourcing arrangement. The organization's risk function, the service provider's IT management, and the service provider's information security manager are not responsible for IT security controls that are outsourced, as they have different roles and responsibilities in the outsourcing process. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 5, Section
5.2.1.2, page 2461
1: ISACA Certified in Risk and Information Systems Control (CRISC) Exam Guide, Answer to Question
651.
質問 # 652
A small organization finds it difficult to implement separation of duties necessary to mitigate the likelihood of system misuse. Which of the following would be the BEST compensating control?
- A. Obtain independent analysis of transaction logs
- B. Assign activities to fewer employees
- C. Undertake control self-assessments (CSAs)
- D. Require reports from staff with multiple duties
正解:A
解説:
When separation of duties (SoD) cannot be fully implemented-typically due to limited personnel-a compensating control must provide comparable assurance that no individual can exploit a conflict of interest or perform unauthorized actions without detection.
According to the CRISC study guide and ISACA's Control Objectives for Information and Related Technologies (COBIT):
* Compensating controls substitute for missing primary controls when business or technical constraints prevent their full implementation.
* The most effective compensating control for SoD issues is independent review or monitoring of activities performed by those with multiple roles.
Obtaining an independent analysis of transaction logs ensures that another trusted party validates the actions taken by employees, detecting inappropriate or fraudulent activities.
Option explanations:
* A. Control self-assessments are self-reviews, not independent, and therefore insufficient for SoD conflicts.
* B. Reports from staff with multiple duties still depend on self-reporting, which lacks independence.
* D. Assigning activities to fewer employees increases risk rather than mitigating it.
This aligns with CRISC's emphasis that "an independent review of audit logs is the best compensating control when segregation of duties conflict exists in a small IT department." (CRISC Notes, Slide 349).
質問 # 653
Which of the following would be a risk practitioner's BEST course of action when a project team has accepted a risk outside the established risk appetite?
- A. Monitor the residual risk level of the accepted risk.
- B. Document the risk decision in the project risk register.
- C. Reject the risk acceptance and require mitigating controls.
- D. Escalate the risk decision to the project sponsor for review.
正解:A
質問 # 654
During a risk treatment plan review, a risk practitioner finds the approved risk action plan has not been
completed However, there were other risk mitigation actions implemented. Which of the fallowing is the
BEST course of action?
- A. Review the cost-benefit of mitigating controls
- B. Update the risk register with implemented mitigating actions
- C. Verify the sufficiency of mitigating controls with the risk owner
- D. Mark the risk status as unresolved within the risk register
正解:C
解説:
The best course of action for a risk practitioner who finds that the approved risk action plan has not been
completed but other risk mitigation actions have been implemented is to verify the sufficiency of mitigating
controls with the risk owner. This is because the risk owner is the person who is accountable for the risk and
the risk response strategy, and therefore should be consulted to ensure that the alternative actions are adequate
and effective in reducing the risk to an acceptable level. The other options are not the best course of action,
although they may also be performed after verifying the sufficiency of mitigating controls with the risk
owner. Reviewing the cost-benefit of mitigating controls, marking the risk status as unresolved within the risk
register, and updating the risk register with implemented mitigating actions are secondary actions that depend
on the outcome of the verification process. References = Risk and Information Systems Control Study
Manual, 7th Edition, Chapter 4, Section 4.3.2, p. 193.
質問 # 655
......
CRISC 資格認定試験は、IT リスク管理および情報システムの制御に関する知識と専門知識を示したい IT 専門家にとって、やりがいのある経験です。試験に合格して資格を取得することで、専門家はキャリアの見通しを向上させ、IT リスク管理の分野での卓越性への取り組みを示すことができます。
全幅的な更新された問題集PDFのテストCRISC試験問題とアンサー:https://www.goshiken.com/ISACA/CRISC-mondaishu.html
100%無料CRISC試験問題集を試験簡単にパスせよ:https://drive.google.com/open?id=15ANKRy0ynodKebMj9H6nL-oEbIbBKeMi