[Q268-Q291] 検証済みのCRISC問題集と解答で合格保証で試験問題集テストエンジン [2026]

Share

検証済みのCRISC問題集と解答で合格保証で試験問題集テストエンジン [2026]

CRISC問題集と1890独特な問題


CRISC試験を受験するには、受験者は少なくとも3年間のITリスク管理および情報システムコントロールの経験を持ち、関連するトレーニングまたは教育の20時間以上を修了している必要があります。この試験はコンピュータベースであり、150問の多肢選択問題で構成されています。受験者は4時間以内に試験を完了する必要があり、450点以上の合格点数が必要です。全体的に、CRISC試験は挑戦的ながらも報酬の高い認定試験であり、個人がITリスク管理および情報システムコントロールの専門知識を証明するのに役立ちます。


認定されたリスクおよび情報システム管理(CRISC)認定試験は、リスク管理および情報システムの管理に関する個人の専門知識を検証するグローバルに認められた認定です。 CRISC認定は、ITガバナンス、保証、およびセキュリティ専門家に知識とリソースを提供することに焦点を当てたグローバルな非営利組織である情報システム監査および制御協会(ISACA)によって提供されます。 CRISC認定試験は、リスクを管理し、情報システムを制御し、情報システム(IS)およびビジネスリスクの特定と評価に関する専門知識を持つ専門家向けに設計されています。

 

質問 # 268
Which of the following is the FIRST step when conducting a business impact analysis (BIA)?

  • A. Identifying events impacting continuity of operations;
  • B. Creating a data classification scheme
  • C. Analyzing previous risk assessment results
  • D. Identifying critical information assets

正解:D


質問 # 269
An information security audit identified a risk resulting from the failure of an automated control Who is responsible for ensuring the risk register is updated accordingly?

  • A. The risk owner
  • B. The risk practitioner
  • C. The audit manager
  • D. The control owner

正解:D

解説:
A control is a measure or action that is implemented to reduce the likelihood or impact of a risk event, or to enhance the benefits or opportunities of a risk event. A control owner is a person who is assigned the responsibility and authority for the design, implementation, operation, and maintenance of a control. A risk register is a tool that records and tracks the information about the identified risks, such as the risk description, category, owner, probability, impact, response strategy, status, and action plan. When an information security audit identified a risk resulting from the failure of an automated control, the person who is responsible for ensuring the risk register is updated accordingly is the control owner. The control owner should update the risk register with the information about the failed control, such as the cause, consequence, status, and action plan.
The control owner should also monitor the performance and compliance of the control, and recommend any improvements or adjustments as needed.


質問 # 270
IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:

  • A. the cost associated with each control
  • B. key risk indicators (KRIs)
  • C. historical risk assessments
  • D. information from the risk register

正解:C

解説:
Section: Volume D


質問 # 271
Which of the following BEST indicates that an organization has implemented IT performance requirements?

  • A. Vendor references
  • B. Service level agreements (SLA)
  • C. Accountability matrix
  • D. Benchmarking data

正解:B


質問 # 272
Which of the following is MOST important when identifying an organization's risk exposure associated with Internet of Things (loT) devices?

  • A. Management sign-off on the scope
  • B. Visibility into all networked devices
  • C. Defined remediation plans
  • D. Manual testing of device vulnerabilities

正解:B

解説:
The most important factor when identifying an organization's risk exposure associated with IoT devices is visibility into all networked devices. This means having a comprehensive inventory of all the IoT devices connected to the organization's network, as well as their configurations, functions, and security status.
Visibility enables the organization to identify the potential threats and vulnerabilities that IoT devices pose, as well as the impact and likelihood of those risks. Visibility also helps the organization to monitor the behavior and performance of IoT devices, detect any anomalies or incidents, and respond accordingly. Without visibility, the organization may be unaware of the existence, location, or condition of some IoT devices, which could lead to undetected breaches, data loss, or operational disruptions. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.4: IT Risk Identification Methods and Techniques, Page 28; 8 Internet of Things Threats and Risks to Be Aware of - SecurityScorecard Blog.


質問 # 273
A root because analysis indicates a major service disruption due to a lack of competency of newly hired IT system administrators Who should be accountable for resolving the situation?

  • A. Business process owner
  • B. Chief information officer (CIO)
  • C. HR recruitment manager
  • D. HR training director

正解:C


質問 # 274
Which of the following is the BEST approach for selecting controls to minimize risk?

  • A. Cost-benefit analysis
  • B. Control-effectiveness evaluation
  • C. Industry best practice review
  • D. Risk assessment

正解:A

解説:
The best approach for selecting controls to minimize risk is to perform a risk assessment. A risk assessment is
a process that identifies, analyzes, and evaluates the risks that could affect the organization's objectives or
operations. A risk assessment helps to determine the likelihood and impact of the risks, and to prioritize them
based on their severity and relevance. A risk assessment also helps to select the most appropriate and effective
controls to minimize the risks, such as avoiding, reducing, transferring, or accepting the risks. A risk
assessment is the best approach for selecting controls, because it helps to align the controls with the
organization's risk profile, risk appetite, and risk objectives, and to ensure that the controls are adequate,
suitable, and cost-effective. The other options are not the best approach for selecting controls, although they
may be part of or derived from the risk assessment. Industry best practice review, cost-benefit analysis, and
control-effectiveness evaluation are all activities that can help to support or improve the control selection, but
they are not the best approach for selecting controls. References = Risk and Information Systems Control
Study Manual, Chapter 4, Section 4.2.1, page 4-13.


質問 # 275
Which of the following is the BEST way to validate the results of a vulnerability assessment?

  • A. Perform a penetration test.
  • B. Conduct a threat analysis.
  • C. Review security logs.
  • D. Perform a root cause analysis.

正解:A

解説:
According to the CRISC Review Manual (Digital Version), the best way to validate the results of a
vulnerability assessment is to perform a penetration test, which is a type of security testing that simulates an
attack on the IT assets and processes to exploit the identified vulnerabilities and evaluate the potential impact
and severity of the attack. Performing a penetration test helps to:
Confirm the existence and exploitability of the vulnerabilities detected by the vulnerability assessment
Measure the effectiveness and efficiency of the existing security controls and countermeasures
Identify and prioritize the risks and gaps in the security posture of the IT assets and processes
Recommend and implement appropriate remediation and mitigation actions to address the vulnerabilities and
risks
Enhance the security awareness and resilience of the organization
References = CRISC Review Manual (Digital Version), Chapter 1: IT Risk Identification, Section 1.5: IT
Risk Identification Methods and Techniques, pp. 36-371


質問 # 276
Which of the following approaches BEST identifies information systems control deficiencies?

  • A. Countermeasures analysis
  • B. Risk assessment
  • C. Gap analysis
  • D. Best practice assessment

正解:A


質問 # 277
Which of the following is MOST helpful in developing key risk indicator (KRl) thresholds?

  • A. Remediation activity progress
  • B. Control performance predictions
  • C. IT service level agreements (SLAs)
  • D. Loss expectancy information

正解:D

解説:
Key risk indicator (KRI): A metric that measures the level of risk exposure or the likelihood of a risk event1.
KRI threshold: A predefined value or range that triggers an alert or action when the KRI reaches or exceeds it2.
Loss expectancy: The estimated amount of loss that an organization may incur due to a risk event3.
The most helpful thing in developing KRI thresholds is loss expectancy information. Loss expectancy information provides an estimate of the potential or expected impact of a risk event on the organization's operations, reputation, or objectives. Loss expectancy information can help an organization to:
Quantify and prioritize the risks that pose the greatest threat to the organization Determine the acceptable level of risk exposure or tolerance for each risk Set the appropriate value or range for the KRI threshold that reflects the risk appetite and the risk mitigation strategy Monitor and measure the performance and effectiveness of the risk management process and controls Loss expectancy information can be derived from various sources, such as historical data, statistical analysis, expert judgment, or simulation models3.
The other options are not as helpful as loss expectancy information in developing KRI thresholds, because they do not directly address the potential or expected impact of a risk event. Control performance predictions, which are the forecasts or estimates of how well the risk management controls will perform in preventing, detecting, or mitigating risks, may help to evaluate the adequacy and efficiency of the risk management process and controls, but they do not provide a clear and quantifiable measure of the risk impact. IT service level agreements (SLAs), which are the contracts or agreements that define the quality and availability of IT services, may help to establish the standards and expectations for IT service delivery and performance, but they do not provide a comprehensive and current view of the risk exposure or likelihood. Remediation activity progress, which is the status or outcome of the actions taken to address and resolve a risk event, may help to monitor and report the effectiveness and compliance of the risk management process and controls, but it is usually done after the risk event has occurred and resolved, not before.
References = Key Risk Indicators: Definition, Examples, and Best Practices, KRI Framework for Operational Risk Management | Workiva, Loss Expectancy: Definition, Calculation, and Examples


質問 # 278
Which of the following is the MOST important reason to communicate risk assessments to senior management?

  • A. To ensure actions can be taken to align assessment results to risk appetite
  • B. To ensure key risk indicator (KRI) thresholds can be adjusted for tolerance
  • C. To ensure the maturity of the assessment program can be validated
  • D. To ensure awareness of risk and controls is shared with key decision makers

正解:D

解説:
Communicating risk assessments to senior management is crucial for ensuring that key decision-makers are aware of the organization's risk landscape. This awareness enables informed decision-making regarding risk responses, resource allocation, and strategic planning. It also fosters a risk-aware culture throughout the organization.
Reference:ISACA CRISC Review Manual, 7th Edition, Chapter 3: Risk Response and Reporting, Section:
Risk Communication.


質問 # 279
Which of the following would be a risk practitioner's BEST recommendation upon learning of an updated cybersecurity regulation that could impact the organization?

  • A. Update security policies
  • B. Implement compensating controls
  • C. Conduct system testing
  • D. Perform a gap analysis

正解:D


質問 # 280
While considering entity-based risks, which dimension of the COSO ERM framework is being referred?

  • A. Risk components
  • B. Explanation:
    The organizational levels of the COSO ERM framework describe the subsidiary, business unit,
    division, and entity-levels of aspects of risk solutions.
  • C. Risk objectives
  • D. Organizational levels
  • E. Strategic objectives
  • F. is incorrect. Risk components includes Internal Environment, Objectives settings, Event
    identification, Risk assessment,Risk response, Control activities, Information and communication,
    and monitoring.
  • G. is incorrect. Strategic objectives includes strategic, operational, reporting, and
    compliance risks; and not entity-based risks.

正解:D

解説:
is incorrect. This is not valid answer.


質問 # 281
A risk practitioner's PRIMARY focus when validating a risk response action plan should be that risk response:

  • A. reduces risk to an acceptable level.
  • B. aligns with business strategy.
  • C. advances business objectives.
  • D. quantifies risk impact.

正解:B

解説:
Section: Volume D


質問 # 282
Which of the following is the BEST indicator of executive management's support for IT risk mitigation
efforts?

  • A. The number of executives attending IT security awareness training
  • B. The percentage of incidents presented to the board
  • C. The number of stakeholders involved in IT risk identification workshops
  • D. The percentage of corporate budget allocated to IT risk activities

正解:A

解説:
The best indicator of executive management's support for IT risk mitigation efforts is the number of
executives attending IT security awareness training. This shows that the executives are committed to
enhancing their knowledge and skills on IT security issues, and that they are setting a positive example for the
rest of the organization. The number of stakeholders involved in IT risk identification workshops, the
percentage of corporate budget allocated to IT risk activities, and the percentage of incidents presented to the
board are other possible indicators, but they are not as strong as the number of executives attending IT
security awareness training. References = ISACA Certified in Risk and Information Systems Control (CRISC)
Certification Exam Question and Answers, question 7; CRISC Review Manual, 6th Edition, page 202.


質問 # 283
Which of the following is MOST important for successful incident response?

  • A. The quantity of data logged by the attack control tools
  • B. The ability to trace the source of the attack
  • C. Blocking the attack route immediately
  • D. The timeliness of attack recognition

正解:D

解説:
Section: Volume D


質問 # 284
Which of the following is the BEST indication of the effectiveness of a business continuity program?

  • A. Business continuity and disaster recovery plans are regularly updated.
  • B. Business continuity tests are performed successfully and issues are addressed.
  • C. Business units are familiar with the business continuity plans and process.
  • D. Business impact analyses are reviewed and updated in a timely manner.

正解:B

解説:
According to the Section 4: Quiz 40 - Business Continuity Plan Flashcards, the best indication of the
effectiveness of a business continuity program is the successful performance of business continuity tests and
the resolution of any issues that arise. Business continuity tests are exercises that simulate various scenarios of
disruption or disaster and evaluate the organization's ability to recover and resume its critical functions.
Business continuity tests can help to validate the assumptions, objectives, and strategies of the business
continuity program, as well as to identify and address any gaps, weaknesses, or errors in the business
continuity and disaster recovery plans. By performing business continuity tests regularly and effectively, the
organization can ensure that its business continuity program is aligned with its needs andexpectations, and
that it can cope with any potential crisis. References = Section 4: Quiz 40 - Business Continuity Plan
Flashcards


質問 # 285
Which of the following would be MOST helpful when estimating the likelihood of negative events?

  • A. Cost-benefit analysis
  • B. Business impact analysis
  • C. Threat analysis
  • D. Risk response analysis

正解:C


質問 # 286
When addressing a potential risk within an organization, what should be the next step after identifying the risk?

  • A. Recommend management accept the low risk scenarios.
  • B. Assess management's risk tolerance.
  • C. Conduct targeted risk assessments.
  • D. Propose mitigating controls.

正解:D

解説:
Even if the residual risks are low, an ineffective key control warrants proposing additional mitigating controls to strengthen risk management. Accepting the risks without controls may expose the enterprise to unnecessary vulnerabilities. Targeted assessments may follow but addressing control weaknesses is the immediate priority.
Risk tolerance is relevant but secondary in this context.


質問 # 287
Which of the following is described by the definition given below?
"It is the expected guaranteed value of taking a risk."

  • A. Risk premium
  • B. Risk value guarantee
  • C. Certain value assurance
  • D. Certainty equivalent value

正解:D

解説:
Section: Volume A
Explanation
Explanation:
The Certainty equivalent value is the expected guaranteed value of taking a risk. It is derived by the uncertainty of the situation and the potential value of the situation's outcome.
Incorrect Answers:
B: The risk premium is the difference between the larger expected value of the risk and the smaller certainty equivalent value.
C, D: These are not valid answers.


質問 # 288
A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?

  • A. Business advertising will need to be tailored by country.
  • B. The data analysis may be ineffective in achieving objectives.
  • C. Data sampling may be impacted by various industry restrictions.
  • D. Regulatory requirements may differ in each country.

正解:D


質問 # 289
The acceptance of control costs that exceed risk exposure is MOST likely an example of:

  • A. high risk tolerance
  • B. low risk tolerance.
  • C. corporate culture misalignment.
  • D. corporate culture alignment.

正解:C


質問 # 290
What is the PRIMARY reason to periodically review key performance indicators (KPIs)?

  • A. Ensure compliance.
  • B. Promote a risk-aware culture.
  • C. Optimize resources needed for controls
  • D. Identify trends.

正解:D


質問 # 291
......

CRISC問題集は合格保証付き!合格させるCRISC試験:https://www.goshiken.com/ISACA/CRISC-mondaishu.html

CRISC試験問題集でベスト問題集を無料で試そうCRISC試験問題:https://drive.google.com/open?id=1xha_zJQxr6Ckda0RWM2pKZbNO1cY6Tkr