[2025年12月]更新のCRISC試験問題集合格させるのは2025年最新のCertified in Risk and Information Systems Control
無料で使えるCRISC試験問題集で合格させるお手軽に試験合格
ISACA CRISC(Certified in Risk and Information Systems Control)認定試験は、情報技術(IT)業界の専門家向けのグローバルに認められた資格です。この認定は、情報システムの開発、利用、およびガバナンスに焦点を当てた専門協会であるInformation Systems Audit and Control Association(ISACA)によって授与されます。CRISC認定は、リスク管理と情報システムコントロールの管理に関する専門知識とスキルを示します。
CRISC認定は、リスク管理、情報システムコントロール、およびITガバナンスに経験があるプロフェッショナルを対象としています。候補者は、これらの分野で最低3年以上の経験を持ち、リスク管理戦略の設計と実装の経験を持つ必要があります。この認定は、ヘルスケア、金融、テクノロジーなどの業界で働く個人や、リスク管理サービスを提供するコンサルティング企業で働く人々に最適です。
質問 # 272
The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of:
- A. restoration monitoring reports
- B. resources to monitor backups
- C. backup recovery requests
- D. recurring restore failures
正解:D
質問 # 273
The risk associated with an asset after controls are applied can be expressed as:
- A. the likelihood of a given threat.
- B. a function of the likelihood and impact.
- C. a function of the cost and effectiveness of controls.
- D. the magnitude of an impact.
正解:B
解説:
The risk associated with an asset after controls are applied can be expressed as a function of the likelihood
and impact, as it helps to measure and quantify the residual risk level and exposure. Residual risk is the risk
that remains after the implementation of controls or risk treatments. Residual risk can be calculated by
multiplying the likelihood and impact of a risk event, where likelihood is the probability or frequency of the
risk event occurring, and impact is the consequence or severity of the risk event on the asset or objective.
Residual risk can be expressed as:
ResidualRisk=Likelihood×Impact
Expressing the risk associated with an asset after controls are applied as a function of the likelihood and
impact helps to provide the following benefits:
It enables a data-driven and evidence-based approach to risk assessment and reporting, rather than relying on
subjective or qualitative judgments.
It facilitates a consistent and standardized way of measuring and communicating risk levels and exposure
across the organization and to the external stakeholders.
It supports the alignment of risk management and control activities with the organizational strategy and
objectives, and helps to evaluate the achievement of the desired outcomes.
It helps to identify and prioritize the areas for improvement and enhancement of the risk management and
control processes, and guide the development and implementation of corrective or preventive actions.
It provides feedback and learning opportunities for the risk management and control processes, and helps to
foster a culture of continuous improvement and innovation.
The other options are not the best ways to express the risk associated with an asset after controls are applied.
A function of the cost and effectiveness of controls is a measure of the inputs or outputs of therisk
management and control processes, but it does not indicate the risk level or exposure. The likelihood of a
given threat is a component of the risk calculation, but it does not reflect the impact or consequence of the
threat. The magnitude of an impact is a component of the risk calculation, but it does not reflect the likelihood
or probability of the risk event.References=Risk Assessment and Analysis Methods: Qualitative and
Quantitative,IT Risk Resources | ISACA,Residual Risk: Definition, Formula & Management - Video &
Lesson ...
質問 # 274
The objective of aligning mitigating controls to risk appetite is to ensure that:
- A. exposures are reduced to the fullest extent
- B. the cost of controls does not exceed the expected loss.
- C. exposures are reduced only for critical business systems
- D. insurance costs are minimized
正解:B
解説:
The objective of aligning mitigating controls to risk appetite is to ensure that the cost of controls does not
exceed the expected loss. The cost of controls is the amount of resources and efforts required to implement
and maintain the controls that are designed to reduce the risk exposure. The expected loss is the estimated
amount of loss or harm that may result from a risk event. Therisk appetite is the amount and type of risk that
an organization is willing to accept in pursuit of its objectives. By aligning mitigating controls to risk appetite,
the organization can optimize the balance between the cost of controls and the expected loss, and avoid over-
or under-investing in controls. Exposures being reduced to the fullest extent,exposures being reduced only for
critical business systems, and insurance costs being minimized are other possible objectives, but they are not
as relevant as the cost of controls not exceeding the expected loss. References = ISACA Certified in Risk and
Information Systems Control (CRISC) Certification Exam Question and Answers, question 8; CRISC Review
Manual, 6th Edition, page 97.
質問 # 275
An unauthorized individual has socially engineered entry into an organization's secured physical premises.
Which of the following is the BEST way to prevent future occurrences?
- A. Require security access badges.
- B. Conduct security awareness training.
- C. Install security cameras.
- D. Employ security guards.
正解:B
質問 # 276
Determining if organizational risk is tolerable requires:
- A. comparing against regulatory requirements
- B. mapping residual risk with cost of controls
- C. understanding the organization's risk appetite.
- D. comparing industry risk appetite with the organizations.
正解:C
解説:
Determining if organizational risk is tolerable requires understanding the organization's risk appetite, which is the amount and type of risk that the organization is willing to accept or pursue in order to achieve its objectives1. Understanding the organization's risk appetite can help to:
* Define and communicate the risk tolerance, which is the acceptable or unacceptable level of risk for each risk category or scenario2.
* Guide and align the risk identification, analysis, evaluation, and treatment processes, and ensure that the risks are consistent and proportional to the risk appetite3.
* Measure and monitor the risk performance and outcome, and ensure that the residual risk (the risk that remains after the risk responses) is within the risk appetite, or take corrective actions if needed4.
The other options are not the best ways to determine if organizational risk is tolerable, because:
* Mapping residual risk with cost of controls is a useful but not sufficient way to determine if organizational risk is tolerable, as it provides a quantitative analysis of the trade-off between the risk level and the risk response cost5. However, mapping residual risk with cost of controls does not consider the qualitative aspects of the risk, such as the impact on the organization's strategy, culture, or reputation.
* Comparing against regulatory requirements is a necessary but not sufficient way to determine if organizational risk is tolerable, as it ensures that the organization complies with the applicable laws, rules, or standards that govern its activities and operations6. However, comparing against regulatory requirements does not guarantee that the organization meets its own objectives and expectations, which may be higher or lower than the regulatory requirements.
* Comparing industry risk appetite with the organization's risk appetite is a helpful but not sufficient way to determine if organizational risk is tolerable, as it provides a reference or a standard for benchmarking the organization's risk level and performance with its peers or competitors7. However, comparing industry risk appetite with the organization's risk appetite does not ensure that the organization addresses its specific or unique risks, which may differ from the industry risks.
References =
* Risk Appetite - CIO Wiki
* Risk Tolerance - CIO Wiki
* Risk Management Process - CIO Wiki
* Risk Monitoring - CIO Wiki
* Residual Risk - CIO Wiki
* Regulatory Compliance - CIO Wiki
* Benchmarking - CIO Wiki
* Risk and Information Systems Control documents and learning resources by ISACA
質問 # 277
According to the Section-302 of the Sarbanes-Oxley Act of 2002, what does certification of reports implies?
Each correct answer represents a complete solution. Choose three.
- A. The financial statement does not contain any materially untrue or misleading information.
- B. The signing officer has evaluated the effectiveness of the issuer's internal controls as of a date at the time to report.
- C. The signing officer has presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.
- D. The signing officer has reviewed the report.
正解:A、C、D
解説:
Explanation/Reference:
Explanation:
Section 302 of Sarbanes-Oxley act has the tremendous impact on the risk management solution adopted by corporations. This section specifies that the reports must be certified by the CEO, CFO, or other senior officer performing similar functions.
Certification of reports establishes:
The signing officer has reviewed the report.
The financial statement do not contain, to the knowledge of signing officer, any materially untrue or
misleading information and represent fairly all financial conditions and results of the enterprise's operations.
The signing officers:
- are responsible for establishing and maintaining internal controls
- have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made - known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared
- have evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report
- have presented in the report their conclusions about the effectiveness of their internal controls base on their evaluation as of that date The signing officer have disclosed to external auditors, audit committee, and other directors:
- all significant deficiencies in the design or operation of internal controls which could adversely affect the reliability of the reported financial data
- any fraud, whether or not material, that involves management or other employees who have a significant role in the internal controls of the enterprise The signing officer have indicated in the report any internal controls or changes to those internal
controls which have been implemented since they were evaluated.
Incorrect Answers:
A: The signing officer has evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report, not at the time of the report.
質問 # 278
Senior management has requested more information regarding the risk associated with introducing a new application into the environment. Which of the following should be done FIRST?
- A. Perform a cost-benefit analysis.
- B. Develop risk scenarios.
- C. Perform an audit.
- D. Conduct a risk analysis.
正解:D
解説:
Understanding Risk Analysis:
* Risk analysis involves identifying potential risks associated with a new application and assessing their likelihood and impact on the organization.
* It provides a detailed understanding of the potential threats, vulnerabilities, and consequences, enabling informed decision-making.
Steps in Conducting a Risk Analysis:
* Identify Risks: Determine what risks could arise from the new application, including security vulnerabilities, compliance issues, and operational disruptions.
* Assess Risks: Evaluate the likelihood and impact of each identified risk. This includes both qualitative and quantitative assessments.
* Prioritize Risks: Rank the risks based on their assessed impact and likelihood to focus on the most significant threats first.
Importance of Risk Analysis:
* Provides senior management with a comprehensive view of the risks involved, enabling them to make informed decisions about proceeding with the application.
* Helps in developing mitigation strategies to address the identified risks.
Comparing Other Options:
* Perform an Audit: Audits are useful for evaluating existing controls but are not the first step in assessing risks for a new application.
* Develop Risk Scenarios: This is part of the risk analysis process but comes after identifying and assessing risks.
* Perform a Cost-Benefit Analysis: Important for decision-making but follows the initial risk analysis to understand potential impacts.
References:
* The CRISC Review Manual emphasizes the importance of conducting a risk analysis to understand and manage risks associated with new applications (CRISC Review Manual, Chapter 2: IT Risk Assessment, Section 2.2.1 Conducting Risk Analysis).
質問 # 279
Which of the following offers the SIMPLEST overview of changes in an organization's risk profile?
- A. A risk roadmap
- B. The risk register
- C. A heat map
- D. A balanced scorecard
正解:C
解説:
A heat map is a graphical representation of the organization's risk profile that shows the relative level of risk for each risk category or event. A heat map uses colors, shapes, or symbols to indicate the magnitude and likelihood of each risk, as well as its trend and status. A heat map offers the simplest overview of changes in the organization's risk profile, as it allows the risk decision-makers to quickly identify the most significant risks, the areas of improvement or deterioration, and the gaps or overlaps in risk management. A heat map can also be used to communicate the risk profile to senior management and other stakeholders in a clear and concise manner. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.3: IT Risk Assessment Methods and Techniques, Page 77; Future Risks: How organizations see changes in risk management - Aon.
質問 # 280
Which of the following is MOST important to determine as a result of a risk assessment?
- A. Process ownership
- B. Risk tolerance levels
- C. Risk appetite statement
- D. Risk response options
正解:D
解説:
Identifying risk response options enables informed decisions on managing identified risks. This step is integral to transitioning from Risk Assessment to Risk Treatment, ensuring risks are addressed effectively.
質問 # 281
The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:
- A. recurring vulnerabilities.
- B. vulnerabilities remediated.
- C. vulnerability scans.
- D. new vulnerabilities identified.
正解:A
解説:
Section: Volume D
質問 # 282
During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one?
- A. Warning signs
- B. Symptoms
- C. Cost of the project
- D. Risk rating
正解:C
解説:
Section: Volume B
Explanation:
The cost of the project is not an indicator of risk urgency. The affect of the risk on the overall cost of the project may be considered, but it is not the best answer.
Incorrect Answers:
A: Warning signs are an indicator of the risk urgency.
B: Symptoms are an indicator of the risk urgency.
C: The risk rating can be an indicator of the risk urgency.
質問 # 283
Which of the following is a KEY responsibility of the second line of defense?
- A. Conducting control self-assessments
- B. Monitoring control effectiveness
- C. Implementing control activities
- D. Owning risk scenarios
正解:B
解説:
The second line of defense is a group of functions that provide oversight, guidance, and monitoring of the risk management activities of the first line of defense. The second line of defense includes risk management, compliance, and internal control departments. Their key responsibility is to monitor the effectiveness of the control activities implemented by the first line of defense, and to report any issues or gaps to senior management and the board. The second line of defense also supports the first line of defense by providing frameworks, policies, tools, and techniques to identify, measure, and manage risks. The other options are not the key responsibility of the second line of defense, as explained below:
* A. Implementing control activities is the responsibility of the first line of defense, which consists of the business units and process owners that own and manage the risks associated with their daily operations.
* C. Conducting control self-assessments is a technique used by the first line of defense to evaluate the design and operation of their own controls, and to identify and report any deficiencies or improvement opportunities.
* D. Owning risk scenarios is the responsibility of the first line of defense, which is accountable for the risks inherent in their business activities, and for developing and executing risk response strategies.
References = Modernizing The Three Lines of Defense Model | Deloitte US, The second line of defence: fit for purpose, not an uncomfortable fit | Knowledge | Linklaters, COSO's Take on the Three Lines of Defense | ERM - Enterprise Risk Management, Three Lines of Defense | Risk Management - Schneider Downs CPAs, What is the Three Lines of Defense Approach to Risk Management?
質問 # 284
Which of the following should a risk practitioner recommend FIRST when an increasing trend of risk events
and subsequent losses has been identified?
- A. Integrate the risk event and incident management processes.
- B. Conduct root cause analyses for risk events.
- C. Implement controls to prevent future risk events.
- D. Educate personnel on risk mitigation strategies.
正解:B
解説:
Conducting root cause analyses for risk events is the first recommendation that a risk practitioner should make
when an increasing trend of risk events and subsequent losses has been identified, as this helps to identify the
underlying causes and sources of the risk events, and to determine the appropriate actions to address them.
Root cause analysis is a systematic process of collecting and analyzing data, finding the root causes, and
implementing solutions to prevent recurrence or reduce the impact of the risk events. Educating personnel on
risk mitigation strategies, integrating the risk event and incident management processes, and implementing
controls to prevent future risk events are not the first recommendations, but rather the possible outcomes or
actions of conducting root cause analyses for risk events. References = CRISC Certified in Risk and
Information Systems Control - Question208; ISACA Certified in Risk and Information Systems Control
(CRISC) Certification Exam Question and Answers, question 208.
質問 # 285
During testing, a risk practitioner finds the IT department's recovery time objective (RTO) for a key system does not align with the enterprise's business continuity plan (BCP). Which of the following should be done NEXT?
- A. Consult with the IT department to update the RTO
- B. Consult with the business owner to update the BCP
- C. Complete a risk exception form
- D. Report the gap to senior management
正解:D
解説:
Section: Volume D
質問 # 286
Which of the following BEST facilitates the identification of appropriate key performance indicators (KPIs) for a risk management program?
- A. Consulting risk owners
- B. Evaluating KPIs in accordance with risk appetite
- C. Reviewing control objectives
- D. Aligning with industry best practices
正解:B
解説:
The best way to facilitate the identification of appropriate key performance indicators (KPIs) for a risk management program is to evaluate KPIs in accordance with risk appetite. KPIs are metrics that measure the performance and effectiveness of the risk management program, and help monitor and report on the achievement of the risk objectives and outcomes. Risk appetite is the amount and type of risk that the organization is willing to accept or pursue in order to achieve its objectives. Evaluating KPIs in accordance with risk appetite helps to identify the appropriate KPIs, because it helps to align the KPIs with the organization's mission, vision, values, and strategy, and to ensure that the KPIs reflect the organization's risk tolerance and threshold. Evaluating KPIs in accordance with risk appetite also helps to communicate and coordinate the KPIs with the organization's stakeholders, such as the board, management, and business units, and to facilitate the risk decision-making and reporting processes. The other options are not as effective as evaluating KPIs in accordance with risk appetite, although they may be part of or derived from the KPI identification process. Reviewing control objectives, aligning with industry best practices, and consulting risk owners are all activities that can help to define or refine the KPIs, but they are not the best way to facilitate the identification of appropriate KPIs. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.5.1, page 4-38.
質問 # 287
Which of the following is MOST important to review when an organization needs to transition the majority of
its employees to remote work during a crisis?
- A. Access management
- B. Capacity management
- C. Impacts on IT project delivery
- D. Customer notification plans
正解:B
解説:
Capacity management is crucial when transitioning employees to remote work during a crisis. It involves
ensuring that the IT infrastructure can handle increased loads and that resources are available to support
remote operations effectively.
質問 # 288
What should be the PRIMARY consideration related to data privacy protection when there are plans for a business initiative to make use of personal information?
- A. Redact data where possible.
- B. Limit access to the personal data.
- C. Do not collect or retain data that is not needed.
- D. Ensure all data is encrypted at rest and during transit.
正解:D
質問 # 289
Which of the following BEST enables a risk practitioner to identify the consequences of losing critical resources due to a disaster?
- A. Risk management action plans
- B. Tabletop exercise results
- C. Business impact analysis (BIA)
- D. What-if technique
正解:C
解説:
* Business Impact Analysis (BIA):
* Purpose: A BIA is a systematic process to evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident, or emergency.
* Identification of Consequences: It identifies critical resources and the consequences of their loss, allowing an organization to determine the operational and financial impacts of such losses.
* Steps Involved in BIA:
* Identify Critical Functions: Determine which business functions and processes are essential to the organization's operations.
* Assess Impact: Evaluate the impact of losing these functions on the organization's ability to operate.
* Estimate Downtime Tolerance: Determine the maximum allowable downtime for critical functions before significant harm occurs.
* Identify Dependencies: Document dependencies between systems, processes, and resources to understand how disruptions to one part affect the whole.
* Comparison with Other Options:
* Risk Management Action Plans: These are detailed plans developed to address identified risks but do not specifically focus on the impact of losing critical resources.
* What-if Technique: This is a brainstorming technique used to explore potential risks and their impacts but is not as structured as a BIA.
* Tabletop Exercise Results: These exercises simulate disaster scenarios to test response plans but do not provide the comprehensive impact analysis that a BIA does.
* Best Practices:
* Regular Updates: Regularly update the BIA to reflect changes in the business environment and operational dependencies.
* Integration with DR/BC Plans: Ensure that findings from the BIA are integrated into disaster recovery (DR) and business continuity (BC) plans to enhance overall preparedness.
* CRISC Review Manual: Discusses the importance of BIA in identifying the impacts of losing critical resources and guiding the development of effective risk management strategies.
* ISACA Standards: Highlight the role of BIA in evaluating the consequences of resource loss and informing business continuity planning.
References:
質問 # 290
An organization has implemented immutable backups to prevent successful ransomware attacks. Which of the following is the MOST effective control for the risk practitioner to review?
- A. Data recovery testing of the backups
- B. Retention policy for the backups
- C. Physical security of the backups
- D. Configuration of the backup solution
正解:D
質問 # 291
Which of the following presents the GREATEST challenge to managing an organization's end-user devices?
- A. Multiple end-user device models
- B. Incomplete end-user device inventory
- C. Incompatible end-user devices
- D. Unsupported end-user applications
正解:B
質問 # 292
A new policy has been published to forbid copying of data onto removable media. Which type of control has been implemented?
- A. Detective
- B. Preventive
- C. Directive
- D. Deterrent
正解:C
質問 # 293
A risk practitioner is performing a risk assessment of recent external advancements in quantum computing.
Which of the following would pose the GREATEST concern for the risk practitioner?
- A. The organization has not reviewed its encryption standards.
- B. The organization has implemented heuristics on its network firewall.
- C. The organization has not adopted Infrastructure as a Service (laaS) for its operations.
- D. The organization has incorporated blockchain technology in its operations.
正解:A
質問 # 294
......
CRISC試験問題集、CRISC練習テスト問題:https://www.jpntest.com/shiken/CRISC-mondaishu
無料CRISC学習ガイド試験問題と解答:https://drive.google.com/open?id=1Ak3SAXrQ8JbIMrvaHe-aoOsdVReuuj4H