Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISADomainsInformation Systems Operations and Business Resilience
CISAFree — No Signup

Information Systems Operations and Business Resilience

Practice CISA Information Systems Operations and Business Resilience questions with full explanations on every answer.

114questions

Start practicing

Information Systems Operations and Business Resilience — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISA Domains

Governance and Management of ITInformation Systems Acquisition, Development and ImplementationInformation Systems Operations and Business ResilienceInformation System Auditing ProcessInformation Systems Acquisition, Development, and ImplementationProtection of Information Assets

Practice Information Systems Operations and Business Resilience questions

10Q20Q30Q50Q

All CISA Information Systems Operations and Business Resilience questions (114)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

An organization is implementing a new incident management process aligned with ITIL. The IT team discovers a critical system is down, affecting all users. According to ITIL, what severity level should be assigned to this incident?

2

During a change advisory board (CAB) meeting, a proposed change to the database server is discussed. The change involves implementing a security patch that requires a reboot. The change is categorized as 'normal' and has been risk-assessed as low impact. What is the most likely role of the CAB in this scenario?

3

An organization's backup strategy includes daily incremental backups and weekly full backups. During a disaster recovery test, the restoration of a critical server fails because a required incremental backup is corrupt. Which control should the organization implement to verify the integrity of backups?

4

In business continuity planning, a company identifies a critical business process with a maximum tolerable downtime (MTD) of 4 hours. What is the primary purpose of this metric?

5

An IT auditor is reviewing the change management process for a financial institution. The auditor finds that emergency changes are frequently approved by the change manager without CAB review. Which risk is most associated with this practice?

6

A company outsources its IT help desk to a third-party vendor. The service level agreement (SLA) specifies that all P1 incidents must be resolved within 2 hours. During an audit, the auditor finds that the vendor’s average resolution time for P1 incidents is 3 hours. What is the most appropriate recommendation?

7

During a business impact analysis (BIA), a department manager states that their process can be disrupted for up to 8 hours, but data loss cannot exceed 15 minutes. Which two metrics are defined by these statements?

8

An organization uses automated job scheduling for nightly batch processing. One job fails due to a missing dependency file. What is the most effective control to prevent recurrence?

9

An organization is implementing a disaster recovery plan. The DR team wants to test the plan with minimal risk and without impacting production operations. Which type of test is most appropriate?

10

A company uses a RAID 5 array for its file server. One disk fails, and the system continues to operate. However, during the rebuild process, a second disk fails. What is the likely consequence?

11

An auditor is reviewing IT asset management processes. The auditor finds that several servers running an older operating system are still in production, even though the vendor has ended support. What is the primary risk associated with this finding?

12

A company's availability monitoring shows that a critical application has an average MTBF of 720 hours and an average MTTR of 4 hours. What is the availability percentage?

13

An organization is developing a business continuity strategy for its key customer-facing application. The BIA determined an RTO of 2 hours and an RPO of 30 minutes. Which TWO strategies are most appropriate to meet these objectives?

14

During a vendor audit, an IS auditor discovers that a cloud service provider uses subcontractors to manage data storage. The contract does not mention subcontracting. Which THREE risks should the auditor highlight to management?

15

An organization is implementing a new release management process. Which TWO activities are essential components of a successful release?

16

An organization has defined an SLA that requires critical incidents to be resolved within 4 hours. A P1 incident is reported at 10:00 AM. At what time must the incident be resolved to meet the SLA?

17

During a recent audit, the IT auditor found that the problem management process does not include a known error database (KEDB). Which of the following is the MOST significant risk associated with this finding?

18

An organization uses a standard change model for low-risk, pre-approved changes. Which of the following is an example of a standard change?

19

An IS auditor is reviewing the change management process and notices that several emergency changes were implemented without post-implementation review. What is the PRIMARY concern?

20

An organization's backup strategy includes full backups every Sunday and incremental backups on other days. On Wednesday, a failure occurs. Which backups are needed to restore the data?

21

Which of the following backup types copies only data that has changed since the last full backup?

22

An IT auditor is evaluating the capacity management process. Which of the following findings would be of MOST concern?

23

A system has a Mean Time Between Failures (MTBF) of 200 hours and a Mean Time To Repair (MTTR) of 20 hours. What is the availability of the system?

24

An organization is conducting a Business Impact Analysis (BIA). Which of the following metrics defines the maximum acceptable outage time for a critical business process?

25

During a disaster recovery test, the IS auditor observes that the alternate site uses a warm site configuration. Which of the following is a characteristic of a warm site?

26

Which type of disaster recovery test involves a full switch-over from the primary site to the alternate site, resulting in actual disruption of normal operations?

27

An organization outsources its IT help desk to a third-party vendor. Which clause is MOST important for the IS auditor to verify in the contract to ensure the organization can assess the vendor's controls?

28

Which TWO of the following are key considerations when managing software licenses in an organization? (Select TWO).

29

An IS auditor is reviewing the end-of-life (EOL) software policy. Which THREE risks are associated with running unsupported software? (Select THREE).

30

Which TWO of the following are important controls for managing cloud resources to prevent cost overruns? (Select TWO).

31

An organization classifies IT incidents based on severity. A critical financial application is unavailable, impacting all users. According to ITIL best practices, which severity level should this incident be assigned?

32

During a change management board (CAB) meeting, a proposed change to the network firewall configuration is discussed. The change is considered low risk and pre-approved. Which type of change does this represent?

33

An IT auditor is reviewing the problem management process. The IT team maintains a repository of known errors with documented workarounds. Which component of problem management is this?

34

An organization uses automated job scheduling for batch processing. A critical payroll job fails due to a dependency on a prior job that did not complete. The job scheduler is configured to handle dependencies. What should the auditor verify regarding rerun procedures?

35

A company performs daily full backups of its database and weekly incremental backups. The backup retention policy requires keeping full backups for 30 days and incremental backups for 7 days. An auditor reviews the backup schedule. Which backup type provides the fastest restore?

36

An organization's backup strategy includes taking full backups weekly and transactional log backups every 15 minutes. The auditor wants to verify that backup encryption is implemented for offsite storage. Which control is most relevant?

37

An IT auditor is reviewing capacity management. The server team monitors CPU utilization and disk space. They receive alerts when thresholds are exceeded. Which practice is most effective for proactive capacity planning?

38

An organization's availability management team reports that a critical server has an MTBF of 720 hours and an MTTR of 4 hours. What is the availability percentage for this server?

39

During a business impact analysis (BIA), the auditor identifies a critical process with a maximum tolerable downtime (MTD) of 4 hours. The IT department proposes a recovery time objective (RTO) of 2 hours and a recovery point objective (RPO) of 1 hour. Which statement is correct?

40

An organization is selecting a disaster recovery (DR) site. The primary data center is located in a region prone to earthquakes. The DR site should be at a sufficient distance to avoid the same disaster. Which type of alternate site provides the best balance of cost and recovery time for a medium-sized organization?

41

An IT auditor is reviewing the business continuity plan (BCP) testing schedule. The organization conducts a test where participants discuss their roles and responses to a scenario without any actual system activation. Which type of test is this?

42

An organization outsources its help desk to a third-party vendor. The contract includes a service level agreement (SLA) with response times. The auditor wants to ensure that the organization can monitor vendor performance. Which clause is most important?

43

An IT auditor is reviewing the asset management process for hardware lifecycle. Which two controls should the auditor verify to ensure secure disposition of decommissioned servers?

44

An organization is implementing a cloud resource management strategy to optimize costs and prevent waste. Which three practices should the auditor recommend?

45

An organization is performing software asset management (SAM) to ensure license compliance. Which two activities should the auditor verify?

46

An organization has defined an RTO of 4 hours for its critical financial system. During a disaster recovery test, the system was recovered in 3.5 hours, but data loss was 30 minutes. Which metric is most directly addressed by the recovery time?

47

During a change management review, an IS auditor discovers that a recent database upgrade was implemented without prior approval from the Change Advisory Board (CAB) because it was classified as a 'standard change.' However, the change involved migrating to a new database version that required application code modifications. What should concern the auditor most?

48

An organization outsources its data center operations to a third-party vendor. The contract includes a right-to-audit clause. During a scheduled audit, the vendor refuses to provide access to logs from a subcontractor managing network security. What is the IS auditor's best course of action?

49

An IS auditor is reviewing the incident management process. Incidents are categorized as P1 (critical) through P4 (low). The SLA for P1 incidents requires initial response within 15 minutes and resolution within 4 hours. The auditor notes that the average time to respond to P1 incidents is 12 minutes, but the average resolution time is 6 hours. The root cause analysis shows that many P1 incidents are due to known errors documented in the known error database (KEDB). What is the most significant finding?

50

Which backup method copies all data that has changed since the last full backup, regardless of subsequent incremental backups, and is often used to reduce restore time?

51

An organization uses automated job scheduling with dependency management. A critical nightly batch job failed because a prerequisite job did not complete successfully. The job scheduler automatically attempted to rerun the failed job three times, each time failing due to the same dependency. The operations team was not alerted until the next morning. What control should the auditor recommend to improve this process?

52

During a business impact analysis (BIA), the IS auditor identifies that the maximum tolerable downtime (MTD) for an online payment system is 2 hours, and the recovery point objective (RPO) is 15 minutes. The current disaster recovery solution uses nightly backups (12-hour RPO) and can restore the system in 4 hours. Which risk is most critical?

53

An IS auditor is reviewing the release management process for a critical application. The release strategy includes a phased rollout to 10% of users initially, then 50%, then 100%. The first phase revealed a data integrity issue that affected a subset of transactions. The release manager decided to continue with the next phase while a patch was being developed. What should the auditor most recommend?

54

Which type of disaster recovery test involves actually switching over to the alternate site and processing live transactions, but does not require the primary site to be shut down?

55

An organization uses a cloud-based CRM system. The asset management team has implemented tagging to track resource costs by department. During an audit, the IS auditor finds that several orphaned resources (e.g., virtual machines, storage volumes) exist that are not tagged and have been running for months. The cloud service provider's cost allocation report shows these resources under a default account. What is the most significant risk associated with this finding?

56

An IS auditor is reviewing the capacity management process for a server hosting a critical application. The server's CPU utilization has been consistently above 90% for the past three months, and memory usage is at 85%. There are no threshold alerts configured. The capacity plan shows that additional resources are scheduled to be added in six months. What should the auditor most recommend?

57

An organization's IT service desk is the single point of contact for all incidents. The SLA for resolving P2 incidents is 8 hours. The auditor finds that the service desk frequently reassigns P2 incidents to second-level support without updating the incident record, causing delays in resolution. The average resolution time for P2 incidents is 10 hours. What is the primary control weakness?

58

An IS auditor is reviewing the vendor management program for a critical outsourced service. The vendor has recently been acquired by another company. Which TWO factors should the auditor be most concerned about regarding the acquisition?

59

During a disaster recovery planning audit, the IS auditor notes that the organization's plan includes a hot standby site. However, the plan has not been updated in two years, and the last test was a tabletop exercise 18 months ago. The organization has recently implemented a new ERP system. Which THREE findings should the auditor report as most significant?

60

An IS auditor is reviewing the software asset management (SAM) process. The organization uses a mix of commercial off-the-shelf (COTS) and open-source software. The auditor finds that several servers are running end-of-life (EOL) operating systems that are no longer patched. Which TWO risks are most directly associated with this finding?

61

An organization's IT service desk categorizes incidents based on severity levels. A P1 incident is defined as a critical system outage affecting all users. Which of the following is the MOST appropriate target for the initial response time for a P1 incident?

62

During a problem management meeting, the team identifies a recurring issue causing multiple incidents. The root cause is known, but a permanent fix is not yet available. Which of the following is the BEST approach to manage this situation until a permanent fix is implemented?

63

An organization is implementing a change management process. A change that requires approval from the Change Advisory Board (CAB) but is scheduled to be implemented during the next maintenance window is classified as which type of change?

64

An IT auditor is reviewing the release management process. Which of the following is the MOST important control to ensure that new releases do not negatively impact production systems?

65

Which of the following is the PRIMARY purpose of a service desk?

66

An organization uses automated job scheduling for batch processing. A critical job fails due to a dependency on another job that has not completed. Which of the following controls would BEST prevent this issue?

67

An IT auditor is reviewing backup procedures. The organization performs daily full backups and retains them for 30 days. Additionally, weekly backups are retained for 12 months. Which of the following is the MOST likely risk associated with this backup strategy?

68

A system has a Mean Time Between Failures (MTBF) of 500 hours and a Mean Time To Repair (MTTR) of 20 hours. What is the availability of the system?

69

During a business impact analysis (BIA), which of the following is the MOST important metric to identify for each critical business process?

70

An organization is selecting an alternate site for disaster recovery. The site must have sufficient equipment to resume operations within a few hours, and the organization is willing to share the site with another business. Which type of alternate site is MOST appropriate?

71

Which of the following disaster recovery test types involves a full switch-over to the alternate site, resulting in actual disruption to normal operations?

72

An organization outsources its data center operations to a third-party provider. Which of the following is the MOST important clause to include in the contract to ensure the organization can verify the provider's controls?

73

During a software asset management (SAM) audit, it is discovered that the organization is using software that has reached end-of-life. Which of the following is the MOST significant risk associated with this situation?

74

An IT auditor is reviewing the capacity management process. Which TWO of the following are key activities that should be performed?

75

An organization is developing a business continuity strategy. Which THREE of the following are essential components of a comprehensive BC strategy?

76

An organization is implementing a new incident management process based on ITIL. An incident classified as P1 (Priority 1) occurs. According to ITIL best practices, what is the most appropriate initial action?

77

During a change management process review, an IS auditor finds that the change advisory board (CAB) approved a change that subsequently caused a major service outage. The change was classified as 'normal' with no emergency. What is the auditor's primary concern?

78

An IS auditor is reviewing automated job scheduling controls. A critical batch job failed due to a dependency on a previous job that had not completed. The system did not alert operations staff. Which control weakness is most significant?

79

An organization performs daily full backups of its critical database. The recovery time objective (RTO) is 4 hours. During a disaster, it takes 6 hours to restore the database. What is the most likely cause?

80

An IS auditor is evaluating the capacity management process. The auditor notices that CPU utilization has been consistently above 90% for the past three months. The IT manager states that no proactive capacity planning has been performed. What is the primary risk?

81

An organization's business continuity plan (BCP) includes alternate facilities that can be operational within 24 hours. The maximum tolerable downtime (MTD) for a critical process is 12 hours. What is the most significant gap?

82

An organization has a disaster recovery plan that includes a hot site. During a full interruption test, the recovery team discovers that the hot site's network configuration is incompatible with the production environment. What is the most likely root cause?

83

An organization is negotiating a contract with a cloud service provider. Which clause is most important for the IS auditor to ensure is included?

84

During a software asset management (SAM) audit, the IS auditor discovers that the organization is using software versions that are no longer supported by the vendor. What is the primary risk?

85

An organization uses a third-party vendor for application support. The vendor has subcontracted some support activities to another firm (fourth party). The contract with the vendor requires the vendor to ensure fourth-party compliance, but there is no direct oversight. What is the IS auditor's primary recommendation?

86

An IS auditor is reviewing the availability management process. The auditor calculates that the mean time between failures (MTBF) is 200 hours and the mean time to repair (MTTR) is 20 hours. What is the availability percentage?

87

An organization is disposing of old servers. The IS auditor reviews the asset disposition process and finds that hard drives are being erased using a standard format command. What is the auditor's primary concern?

88

An IS auditor is reviewing the backup process for a critical database. Which TWO of the following are essential controls to ensure data recoverability?

89

An organization is developing a business continuity strategy. According to best practices, which THREE of the following should be included in the strategy?

90

An IS auditor is reviewing change management for a financial application. Which TWO of the following findings would most likely indicate a control weakness?

91

An organization is implementing an automated job scheduling system. Which of the following is the PRIMARY benefit of using dependency management in job scheduling?

92

An IS auditor is reviewing a backup strategy that includes daily full backups and weekly offsite storage. The recovery time objective (RTO) for a critical application is 4 hours. Which of the following findings would be of GREATEST concern?

93

Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

94

An organization uses a hot site as its disaster recovery alternative. Which of the following is the MOST critical consideration when selecting a hot site?

95

During a change management audit, an IS auditor finds that a critical system change was approved by the change manager without a CAB meeting. The change was categorized as a standard change. Which of the following should the auditor do FIRST?

96

An organization has an availability requirement of 99.99% for its online transaction processing system. The system's MTBF is 720 hours. What is the maximum allowable MTTR to meet this requirement?

97

Which of the following is the PRIMARY benefit of conducting a tabletop exercise for disaster recovery?

98

An IS auditor is reviewing a third-party service provider's controls. Which of the following is the MOST important clause to include in the contract to ensure the auditor can assess the provider's controls?

99

An organization uses RAID 5 for its database server. Which of the following is the PRIMARY advantage of RAID 5?

100

During an audit of IT asset management, the IS auditor finds that several servers are running an operating system that has reached end-of-life (EOL). The organization has not deployed any compensating controls. Which of the following is the GREATEST risk?

101

In ITIL incident management, which severity level typically indicates a critical incident that severely impacts business operations and requires immediate resolution?

102

An organization is implementing a software asset management (SAM) program. Which of the following is the PRIMARY benefit of SAM?

103

An IS auditor is reviewing a business continuity plan (BCP). Which TWO of the following are key components of the business continuity strategy? (Select two.)

104

An organization is planning a full interruption test of its disaster recovery plan. Which THREE of the following should the IS auditor recommend as best practices for this type of test? (Select three.)

105

An IS auditor is reviewing problem management processes. Which TWO of the following are key outputs of effective problem management? (Select two.)

106

An organization has implemented a business continuity plan (BCP) and disaster recovery plan (DRP). During a recent full interruption test, the IT team discovered that the recovery time objective (RTO) for a critical application was not met. What is the MOST likely reason for this failure?

107

An IS auditor is reviewing the ITIL incident management process. Which TWO are the correct priority levels and their typical definitions?

108

An IS auditor is reviewing backup procedures for a critical database. Which THREE are key considerations for ensuring backup reliability and recoverability?

109

An organization is implementing a change management process based on ITIL. Which THREE change types should be included in the policy?

110

An IS auditor is assessing the vendor management process. Which TWO are key controls for managing third-party risk?

111

An IS auditor is reviewing the business impact analysis (BIA) for a financial services company. Which THREE metrics are typically defined in a BIA?

112

An IS auditor is evaluating the release management process for a software application. Which TWO are essential components of a successful release plan?

113

An IS auditor is reviewing capacity management practices. Which TWO indicators suggest that proactive capacity management is being performed effectively?

114

An organization uses a cloud service provider (CSP) for critical applications. The IS auditor is reviewing the contract for vendor concentration risk. Which TWO clauses are MOST relevant to mitigating this risk?

Practice all 114 Information Systems Operations and Business Resilience questions

Other CISA exam domains

Governance and Management of ITInformation Systems Acquisition, Development and ImplementationInformation System Auditing ProcessInformation Systems Acquisition, Development, and ImplementationProtection of Information Assets

Frequently asked questions

What does the Information Systems Operations and Business Resilience domain cover on the CISA exam?

The Information Systems Operations and Business Resilience domain covers the key concepts tested in this area of the CISA exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISA domains — no account required.

How many Information Systems Operations and Business Resilience questions are in the CISA question bank?

The Courseiva CISA question bank contains 114 questions in the Information Systems Operations and Business Resilience domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Information Systems Operations and Business Resilience for CISA?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Information Systems Operations and Business Resilience questions for CISA?

Yes — the session launcher on this page draws questions exclusively from the Information Systems Operations and Business Resilience domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISA domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CISMCRISC