CISA-JPN 試験問題 316
IT とビジネス目標を整合させるための IT フレームワークを実装することで、最も効果的に対処できる懸念事項は次のどれですか。
正解: D
An IT framework for alignment between IT and business objectives is a set of principles, guidelines, and practices that help an organization to ensure that its IT investments support its strategic goals, deliver value, manage risks, and optimize resources. One of the benefits of implementing such a framework is that it enables an effective IT portfolio management, which is the process of selecting, prioritizing, monitoring, and evaluating the IT projects and services that comprise the IT portfolio. An IT portfolio is a collection of IT assets, such as applications, infrastructure, data, and capabilities, that are aligned with the business needs and objectives. An IT portfolio management helps an organization to achieve the following outcomes:
* Align the IT portfolio with the business strategy and vision
* Balance the IT portfolio among different types of investments, such as innovation, growth, maintenance, and compliance
* Optimize the IT portfolio performance, value, and risk
* Enhance the IT portfolio decision-making and governance
* Improve the IT portfolio communication and transparency
Therefore, an inadequate IT portfolio management is a major concern that can be addressed by implementing an IT framework for alignment between IT and business objectives. An inadequate IT portfolio management can result in the following issues:
* Misalignment of the IT portfolio with the business needs and expectations
* Imbalance of the IT portfolio among competing demands and priorities
* Suboptimal use of the IT resources and capabilities
* Lack of visibility and accountability of the IT portfolio outcomes and impacts
* Poor communication and collaboration among the IT portfolio stakeholders The other possible options are:
* Inaccurate business impact analysis (BIA): A BIA is a process of identifying and assessing the potential effects of a disruption or disaster on the critical business functions and processes. A BIA helps an organization to determine the recovery priorities, objectives, and strategies for its business continuity plan. A BIA is not directly related to an IT framework for alignment between IT and business objectives, although it may use some inputs from the IT portfolio management. Therefore, an inaccurate BIA is not a concern that can be effectively addressed by implementing an IT framework for alignment between IT and business objectives.
* Inadequate IT change management practices: IT change management is a process of controlling and managing the changes to the IT environment, such as hardware, software, configuration, or documentation. IT change management helps an organization to minimize the risks and disruptions caused by the changes, ensure the quality and consistency of the changes, and align the changes with the business requirements. IT change management is not directly related to an IT framework for alignment between IT and business objectives, although it may support some aspects of the IT portfolio management. Therefore, inadequate IT change management practices are not a concern that can be effectively addressed by implementing an IT framework for alignment between IT and business objectives.
* Lack of a benchmark analysis: A benchmark analysis is a process of comparing an organization's performance, processes, or practices with those of other organizations or industry standards. A benchmark analysis helps an organization to identify its strengths and weaknesses, set realistic goals and targets, and implement best practices for improvement. A benchmark analysis is not directly related to an IT framework for alignment between IT and business objectives, although it may provide some insights for the IT portfolio management. Therefore, lack of a benchmark analysis is not a concern that can be effectively addressed by implementing an IT framework for alignment between IT and business objectives. References: 1: What is Portfolio Management? | Smartsheet 2: What Is Portfolio Management? - Definition from Techopedia 3: What Is Project Portfolio Management (PPM)? | ProjectManager.com 4: What Is Business Impact Analysis? | Smartsheet 5: What Is Change Management? - Definition from Techopedia 6: Benchmarking - Wikipedia
* Align the IT portfolio with the business strategy and vision
* Balance the IT portfolio among different types of investments, such as innovation, growth, maintenance, and compliance
* Optimize the IT portfolio performance, value, and risk
* Enhance the IT portfolio decision-making and governance
* Improve the IT portfolio communication and transparency
Therefore, an inadequate IT portfolio management is a major concern that can be addressed by implementing an IT framework for alignment between IT and business objectives. An inadequate IT portfolio management can result in the following issues:
* Misalignment of the IT portfolio with the business needs and expectations
* Imbalance of the IT portfolio among competing demands and priorities
* Suboptimal use of the IT resources and capabilities
* Lack of visibility and accountability of the IT portfolio outcomes and impacts
* Poor communication and collaboration among the IT portfolio stakeholders The other possible options are:
* Inaccurate business impact analysis (BIA): A BIA is a process of identifying and assessing the potential effects of a disruption or disaster on the critical business functions and processes. A BIA helps an organization to determine the recovery priorities, objectives, and strategies for its business continuity plan. A BIA is not directly related to an IT framework for alignment between IT and business objectives, although it may use some inputs from the IT portfolio management. Therefore, an inaccurate BIA is not a concern that can be effectively addressed by implementing an IT framework for alignment between IT and business objectives.
* Inadequate IT change management practices: IT change management is a process of controlling and managing the changes to the IT environment, such as hardware, software, configuration, or documentation. IT change management helps an organization to minimize the risks and disruptions caused by the changes, ensure the quality and consistency of the changes, and align the changes with the business requirements. IT change management is not directly related to an IT framework for alignment between IT and business objectives, although it may support some aspects of the IT portfolio management. Therefore, inadequate IT change management practices are not a concern that can be effectively addressed by implementing an IT framework for alignment between IT and business objectives.
* Lack of a benchmark analysis: A benchmark analysis is a process of comparing an organization's performance, processes, or practices with those of other organizations or industry standards. A benchmark analysis helps an organization to identify its strengths and weaknesses, set realistic goals and targets, and implement best practices for improvement. A benchmark analysis is not directly related to an IT framework for alignment between IT and business objectives, although it may provide some insights for the IT portfolio management. Therefore, lack of a benchmark analysis is not a concern that can be effectively addressed by implementing an IT framework for alignment between IT and business objectives. References: 1: What is Portfolio Management? | Smartsheet 2: What Is Portfolio Management? - Definition from Techopedia 3: What Is Project Portfolio Management (PPM)? | ProjectManager.com 4: What Is Business Impact Analysis? | Smartsheet 5: What Is Change Management? - Definition from Techopedia 6: Benchmarking - Wikipedia
CISA-JPN 試験問題 317
大規模災害が発生した場合に事業継続計画 (BCP) が効果的に機能することを保証する最善の方法は次のどれですか?
正解: B
The best way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster is to involve staff at all levels in periodic paper walk-through exercises. This means that the BCPs are tested and validated by the people who will execute them in a real situation, and any gaps, errors, or inconsistencies can be identified and corrected. Paper walk-through exercises are also a good way to raise awareness and train staff on their roles and responsibilities in a BCP scenario, as well as to evaluate the feasibility and effectiveness of the recovery strategies1.
The other options are not the best ways to ensure that BCPs will work effectively, because they do not involve testing or validating the plans. Preparing detailed plans for each business function is important, but it does not guarantee that the plans are realistic, practical, or aligned with the overall business objectives and priorities2. Regularly updating business impact assessments is also essential, but it does not ensure that the BCPs are aligned with the current business environment and risks2. Making senior managers responsible for their plan sections is a good way to assign accountability and authority, but it does not ensure that the plan sections are coordinated and integrated with each other2. References:
* Best Practice Guide: Business Continuity Planning (BCP)3
* Best Practices for Creating a Business Continuity Plan1
* Business Continuity Plan Best Practices
The other options are not the best ways to ensure that BCPs will work effectively, because they do not involve testing or validating the plans. Preparing detailed plans for each business function is important, but it does not guarantee that the plans are realistic, practical, or aligned with the overall business objectives and priorities2. Regularly updating business impact assessments is also essential, but it does not ensure that the BCPs are aligned with the current business environment and risks2. Making senior managers responsible for their plan sections is a good way to assign accountability and authority, but it does not ensure that the plan sections are coordinated and integrated with each other2. References:
* Best Practice Guide: Business Continuity Planning (BCP)3
* Best Practices for Creating a Business Continuity Plan1
* Business Continuity Plan Best Practices
CISA-JPN 試験問題 318
社内で開発された新しく変更された IT アプリケーションの実装後レビュー中に、情報システム監査人が評価する必要がある最も重要な項目は次のどれですか。
正解: A
A post-implementation review (PIR) of a newly modified IT application focuses on ensuring that the system meets business and security requirements effectively. The sufficiency of implemented controls (A) is the most critical aspect because it ensures that security, operational, and compliance controls are functioning correctly.
These controls include access controls, data integrity checks, and audit logs to prevent unauthorized access, data corruption, or security breaches.
Other options:
Resource management plan (B) is important for project management but is not the primary concern for an IS auditor in a post-implementation review.
Updates required for end-user manuals (C) are necessary for usability but do not impact the security or operational integrity of the system.
Rollback plans for changes (D) are important for change management but are typically assessed before deployment, not in a PIR.
Reference: ISACA CISA Review Manual, IT Governance and Management of IT
These controls include access controls, data integrity checks, and audit logs to prevent unauthorized access, data corruption, or security breaches.
Other options:
Resource management plan (B) is important for project management but is not the primary concern for an IS auditor in a post-implementation review.
Updates required for end-user manuals (C) are necessary for usability but do not impact the security or operational integrity of the system.
Rollback plans for changes (D) are important for change management but are typically assessed before deployment, not in a PIR.
Reference: ISACA CISA Review Manual, IT Governance and Management of IT
CISA-JPN 試験問題 319
請負業者のデータセンターへのアクセスを管理する最も効果的な方法は何ですか?
正解: D
CISA-JPN 試験問題 320
監査計画中に、情報システム監査マネージャーは、ビジネス側からリスクが低いとみなされるエンティティの監査に予算を割くかどうかを検討しています。この状況で最善の行動方針は次のどれですか。
正解: C
Audit planning is the process of developing an overall strategy and approach for conducting an audit. Audit planning involves identifying the objectives, scope, criteria, and methodology of the audit, as well as the resources, schedule, and reporting requirements. Audit planning also involves performing a risk assessment to identify and prioritize the areas of highest risk and significance for the audit1.
Risk assessment is a systematic process of evaluating the potential risks that may be involved in a projected activity or undertaking. Risk assessment involves identifying the sources and causes of risk, analyzing the likelihood and impact of risk, and determining the level of risk and the appropriate response2.
During audit planning, the IS audit manager is considering whether to budget for audits of entities regarded by the business as having low risk. The best course of action in this situation is C. Validate the low-risk entity ratings and apply professional judgment.
This is because validating the low-risk entity ratings can help to ensure that the risk assessment is accurate, reliable, and consistent with the business objectives and expectations. Validating the low-risk entity ratings can also help to identify any changes or developments that may affect the risk profile of the entities since the last assessment. Applying professional judgment can help to determine whether the low-risk entities should be included or excluded from the audit plan, based on factors such as materiality, relevance, significance, and assurance needs3.
Risk assessment is a systematic process of evaluating the potential risks that may be involved in a projected activity or undertaking. Risk assessment involves identifying the sources and causes of risk, analyzing the likelihood and impact of risk, and determining the level of risk and the appropriate response2.
During audit planning, the IS audit manager is considering whether to budget for audits of entities regarded by the business as having low risk. The best course of action in this situation is C. Validate the low-risk entity ratings and apply professional judgment.
This is because validating the low-risk entity ratings can help to ensure that the risk assessment is accurate, reliable, and consistent with the business objectives and expectations. Validating the low-risk entity ratings can also help to identify any changes or developments that may affect the risk profile of the entities since the last assessment. Applying professional judgment can help to determine whether the low-risk entities should be included or excluded from the audit plan, based on factors such as materiality, relevance, significance, and assurance needs3.
- 他のバージョン
- 3049ISACA.CISA-JPN.v2025-06-30.q593
- 1076ISACA.CISA-JPN.v2025-05-16.q572
- 2110ISACA.CISA-JPN.v2023-04-10.q297
- 1982ISACA.CISA-JPN.v2023-04-03.q306
- 2119ISACA.CISA-JPN.v2023-03-20.q319
- 2170ISACA.CISA-JPN.v2022-08-01.q273
- 2234ISACA.CISA-JPN.v2022-05-28.q253
- 最新アップロード
- 102Peoplecert.MSP-Practitioner.v2026-06-24.q75
- 157PaloAltoNetworks.SecOps-Generalist.v2026-06-23.q81
- 141NetworkAppliance.NS0-005.v2026-06-23.q110
- 136Google.Generative-AI-Leader.v2026-06-23.q31
- 138Google.Google-Workspace-Administrator.v2026-06-23.q111
- 168Databricks.Databricks-Certified-Professional-Data-Engineer.v2026-06-22.q208
- 174Oracle.1z0-1054-25.v2026-06-22.q64
- 136Fortinet.NSE5_FSW_AD-7.6.v2026-06-22.q41
- 144Salesforce.MC-202.v2026-06-22.q57
- 133Nutanix.NCA-6.10.v2026-06-22.q43