ISACA · Free Practice Questions · Last reviewed May 2026
30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A large enterprise recently experienced a data breach due to an insider threat. The IT governance committee is reviewing the incident and considering measures to prevent recurrence. Which of the following is the BEST course of action to address the root cause?
Implement a privileged access management (PAM) solution to control and monitor elevated access.
PAM directly prevents and controls unauthorized privileged access, addressing the root cause.
Increase logging and auditing of all user activities.
Deploy a security information and event management (SIEM) tool.
Terminate the employment of the insider who caused the breach.
A multinational corporation is adopting a hybrid cloud strategy. The IT governance board must decide on a framework to ensure alignment with business objectives and regulatory compliance. Which framework is MOST appropriate?
ITIL 4 Service Value System
COBIT 2019
COBIT 2019 is a comprehensive framework for IT governance and management.
ISO/IEC 27001 Information Security Management
PMBOK Guide
An organization's IT strategy must be aligned with business strategy. Which of the following is the PRIMARY benefit of this alignment?
Faster adoption of new technologies
Enhanced security posture
Reduced IT operational costs
Increased value of IT investments to business objectives
Alignment ensures IT delivers value that supports business strategy.
A financial institution is evaluating its IT governance structure. Which of the following roles is BEST suited to ensure independent oversight of IT investments?
Chief Information Officer (CIO)
Project Management Office (PMO) director
IT Audit Committee
An independent audit committee provides objective oversight.
Chief Information Security Officer (CISO)
An organization is implementing a new ERP system. The project sponsor requests a change that will significantly increase project scope without additional budget. Which of the following is the BEST action for the project manager?
Accept the change and adjust the project timeline accordingly.
Initiate the formal change control process and escalate to the steering committee.
Proper change control ensures governance and stakeholder involvement.
Implement the change and inform the steering committee later.
Reject the change because it is outside the original scope.
An IT manager needs to ensure that the organization's IT resources are used efficiently. Which of the following is the BEST metric to measure IT resource utilization?
System uptime percentage
Average server CPU utilization
Directly measures how efficiently computing resources are used.
Number of help desk tickets resolved per day
Percentage of projects completed on time
Want more Governance and Management of IT practice?
Practice this domainA company is replacing its legacy on-premises ERP system with a cloud-based SaaS solution. The project manager is concerned about data migration risks. Which of the following is the BEST approach to mitigate data integrity issues during migration?
Perform data validation after migration
Use data transformation tools to convert formats
Implement data reconciliation reports post-migration
Run parallel processing and compare outputs
Enables side-by-side verification.
An organization is developing a new customer portal. The development team wants to use an agile methodology. Which of the following is a key benefit of using agile for this project?
Continuous stakeholder feedback is incorporated
Agile emphasizes ongoing collaboration.
Detailed requirements are defined upfront
Documentation is minimized to save time
The entire system is delivered at once
During the user acceptance testing (UAT) phase of a new financial application, the business users report that the system calculates interest incorrectly for certain loan types. The project manager wants to fix this quickly. Which of the following is the BEST course of action?
Instruct the business to work around the issue until the next release
Authorize the development team to fix the bug immediately and re-deploy
Roll back to the previous version of the application
Log the defect and perform impact analysis before approving a fix
Ensures proper change management.
An IT auditor is reviewing the system development life cycle (SDLC) process for a critical application. Which of the following findings would be of MOST concern?
Test data is refreshed from production monthly
Developers use local development environments
Developers have production database access
Violates segregation of duties.
Code reviews are performed by senior developers
When implementing a commercial off-the-shelf (COTS) software package, which of the following is the MOST important activity to ensure the software meets business requirements?
Conducting a vendor demonstration
Developing a project plan with milestones
Performing a gap analysis between requirements and software features
Directly addresses requirements coverage.
Reviewing the software's technical architecture
A company is implementing a new procurement system. The project team is considering using a rapid application development (RAD) methodology. Which of the following is a potential risk of using RAD?
Inadequate documentation
Speed can compromise documentation.
Reduced stakeholder involvement
Longer development time
Difficulty in prototyping
Want more Information Systems Acquisition, Development and Implementation practice?
Practice this domainAn organization experiences a critical system failure during non-business hours. The IT team discovers that the last full backup was 48 hours ago, and the incremental backups for the past 24 hours are corrupted. The recovery time objective (RTO) for this system is 4 hours, and the recovery point objective (RPO) is 1 hour. Which of the following is the MOST immediate concern?
The backup schedule should be changed to daily full backups
The data loss may exceed the recovery point objective (RPO)
With corrupted incremental backups, data loss will be at least 48 hours, far exceeding the 1-hour RPO.
The root cause of the failure must be determined before recovery
The recovery time objective (RTO) of 4 hours will be exceeded
An IT auditor is reviewing the business continuity plan (BCP) for a financial services firm. The plan includes a hot site that is shared with another organization under a reciprocal agreement. Which of the following findings should be of MOST concern to the auditor?
The hot site uses a different internet service provider than the primary site
The hot site has not been tested in the past 12 months
The reciprocal agreement does not guarantee exclusive use of the hot site during a disaster
If both organizations activate simultaneously, the hot site may not have sufficient capacity for both.
The hot site is located in the same seismic zone as the primary site
A company is designing its backup strategy for a critical database that must be available 24/7. The database experiences high transaction volumes. Which backup method minimizes data loss while allowing continuous operations?
Offline full backup performed weekly
Differential backup performed daily
Online backup with transaction log backups
Online backups run while the database is active, and transaction logs allow point-in-time recovery with minimal data loss.
Full backup performed during low-usage periods
During an incident response exercise, the IT team discovers that the failover to the disaster recovery (DR) site failed because the DR site's storage area network (SAN) was not zoned correctly for the replicated data. Which of the following controls would BEST prevent this issue?
Maintaining a configuration management database (CMDB)
Implementing a change management process for SAN configurations
Using automated replication monitoring tools
Conducting regular disaster recovery testing including full failover
Regular testing validates that all components work together, including SAN zoning.
A company's backup policy requires that backup tapes be stored offsite for at least one year. During an audit, the auditor finds that the offsite storage facility is not access-controlled and backup tapes are not encrypted. Which of the following is the auditor's BEST recommendation?
Negotiate a new contract with a different offsite storage provider
Move the tapes back to the primary site until the offsite facility is secured
Implement a check-in/check-out log for the offsite facility
Encrypt all backup tapes before sending them offsite
Encryption mitigates the risk of unauthorized access to data on the tapes.
An organization is implementing a business continuity plan (BCP). Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA)?
To document the step-by-step recovery procedures for each system
To identify potential threats and vulnerabilities to the organization
To inventory all IT assets and their configurations
To identify critical business processes and their recovery time objectives (RTOs)
BIA helps prioritize processes and define RTOs and RPOs.
Want more Information Systems Operations and Business Resilience practice?
Practice this domainAn organization is implementing a data loss prevention (DLP) solution. Which of the following is the BEST approach to reduce false positives during initial deployment?
Use default policies without modification
Limit scope to one department to minimize noise
Deploy in monitor-only mode and analyze alerts for a period
Monitor-only mode allows policy tuning without impact.
Block all sensitive data transmissions immediately
During an audit, an IS auditor finds that the organization uses a cloud-based identity provider (IdP) for single sign-on (SSO) but does not enforce multi-factor authentication (MFA) for all users. Which of the following is the BEST recommendation to reduce risk?
Require MFA only for external-facing applications
Disable SSO and require separate passwords for each application
Reduce session timeout to 15 minutes
Enforce MFA for all users accessing any application
Comprehensive MFA reduces risk of unauthorized access.
An organization has implemented role-based access control (RBAC). Which of the following is the PRIMARY benefit of RBAC?
Simplified user permission management
RBAC streamlines access control administration.
Encryption of sensitive data at rest
Elimination of compliance requirements
Improved protection against malware
An IS auditor is reviewing an organization's data classification policy. Which of the following findings is MOST critical?
Employees receive data classification training only once per year
Data classification is performed manually without automated tools
Sensitive data is not encrypted at rest
Data owners have not been identified for most data assets
Without data owners, classification cannot be enforced.
A company is implementing a privileged access management (PAM) system. Which of the following is the MOST important control to prevent lateral movement after a privileged account is compromised?
Implement just-in-time (JIT) privilege elevation
JIT reduces exposure time.
Enforce multi-factor authentication for all privileged accounts
Monitor and record all privileged sessions
Rotate passwords after each use
An organization wants to ensure that data is not retained longer than necessary. Which of the following is the BEST control to implement?
Encrypt all data at rest
Implement a backup retention policy
Use role-based access controls
Define and enforce data retention schedules
Retention schedules ensure data is deleted when no longer needed.
Want more Protection of Information Assets practice?
Practice this domainAn IS auditor is reviewing a change management process. A developer made an emergency change directly to production without following the standard change approval process. The change was later documented as a normal change. Which control weakness is MOST indicated by this scenario?
Inadequate segregation of duties between development and production environments
Direct production access by developers violates segregation of duties.
Absence of a rollback plan for emergency changes
Insufficient testing of emergency changes before deployment
Lack of a formal change documentation policy
Based on the exhibit, what should the IS auditor MOST likely recommend?
Investigate whether any changes are missing from the log
Immediately block all direct production access for developers
Require all changes to go through the standard approval process
Review the criteria for emergency changes and enforce proper classification
The high number of post-approved emergency changes suggests the process is being bypassed.
An IS auditor is evaluating the effectiveness of an organization's business continuity plan (BCP). Which of the following findings would be of GREATEST concern?
The backup tapes are stored in a locked cabinet in the server room
The BCP contact list has not been updated in six months
The BCP has not been tested in over two years
Lack of testing means the plan may fail in a disaster.
The BCP relies on manual workarounds for critical systems
During an audit of a financial application, the IS auditor discovers that user access reviews are performed quarterly instead of monthly as required by policy. Which of the following is the BEST initial action for the auditor?
Recommend that the policy be changed to allow quarterly reviews
Report the noncompliance with the policy as a finding immediately
Escalate the issue to senior management for immediate resolution
Determine if compensating controls mitigate the risk of less frequent reviews
Compensating controls may make quarterly reviews acceptable.
Based on the exhibit, the IS auditor is reviewing access to the payroll folder. Which of the following is the MOST significant finding?
Internal_Audit group has Read access to payroll data
User asmith has only Read access to payroll
HR_Managers group has Full Control over payroll
Potential excessive privileges for user jdoe due to overlapping permissions
Overlapping permissions may grant unintended access.
Which TWO of the following are the MOST effective controls to prevent unauthorized changes to production data?
Requiring change management approval for all production changes
Ensures changes are authorized before implementation.
Enforcing segregation of duties between development and production
Prevents unauthorized changes by separating roles.
Implementing audit logging of all data changes
Encrypting production data at rest
Using automated testing for all code changes
Want more Information System Auditing Process practice?
Practice this domainThe CISA exam has 150 questions and must be completed in 240 minutes. The passing score is 450/1000.
Multiple-choice scenario questions on IS audit processes, IT governance, systems acquisition, operations, and information asset protection.
The exam covers 5 domains: Governance and Management of IT, Information Systems Acquisition, Development and Implementation, Information Systems Operations and Business Resilience, Protection of Information Assets, Information System Auditing Process. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official ISACA CISA exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.