Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISAExam Questions

ISACA · Free Practice Questions · Last reviewed May 2026

CISA Exam Questions and Answers

30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

150 exam questions
240 min time limit
Pass: 450/1000 / 1000
5 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Governance and Management of IT2. Information Systems Acquisition, Development and Implementation3. Information Systems Operations and Business Resilience4. Protection of Information Assets5. Information System Auditing Process
1

Domain 1: Governance and Management of IT

All Governance and Management of IT questions
Q1
mediumFull explanation →

A large enterprise recently experienced a data breach due to an insider threat. The IT governance committee is reviewing the incident and considering measures to prevent recurrence. Which of the following is the BEST course of action to address the root cause?

A

Implement a privileged access management (PAM) solution to control and monitor elevated access.

PAM directly prevents and controls unauthorized privileged access, addressing the root cause.

B

Increase logging and auditing of all user activities.

C

Deploy a security information and event management (SIEM) tool.

D

Terminate the employment of the insider who caused the breach.

Why: A privileged access management (PAM) solution directly addresses the root cause of an insider threat by controlling, monitoring, and auditing elevated access rights. Since the breach was caused by an insider, limiting and tracking privileged accounts prevents unauthorized or excessive use of administrative credentials, which is the most effective preventive measure against recurrence.
Q2
hardFull explanation →

A multinational corporation is adopting a hybrid cloud strategy. The IT governance board must decide on a framework to ensure alignment with business objectives and regulatory compliance. Which framework is MOST appropriate?

A

ITIL 4 Service Value System

B

COBIT 2019

COBIT 2019 is a comprehensive framework for IT governance and management.

C

ISO/IEC 27001 Information Security Management

D

PMBOK Guide

Why: COBIT 2019 is the most appropriate framework because it is specifically designed for IT governance, providing a comprehensive set of controls and processes to align IT with business objectives and ensure regulatory compliance. In a hybrid cloud strategy, COBIT 2019's focus on governance objectives, stakeholder needs, and risk management directly addresses the board's need for oversight across on-premises and cloud environments, unlike frameworks that target service management, security, or project management.
Q3
easyFull explanation →

An organization's IT strategy must be aligned with business strategy. Which of the following is the PRIMARY benefit of this alignment?

A

Faster adoption of new technologies

B

Enhanced security posture

C

Reduced IT operational costs

D

Increased value of IT investments to business objectives

Alignment ensures IT delivers value that supports business strategy.

Why: When IT strategy is aligned with business strategy, every IT investment is directly tied to achieving specific business objectives, such as increasing revenue, improving customer experience, or enabling new business models. This alignment ensures that resources are allocated to projects that deliver measurable business value, rather than being spent on technology for its own sake. The primary benefit is therefore the increased value of IT investments to business objectives, as misalignment often leads to wasted expenditure on systems that do not support core business goals.
Q4
mediumFull explanation →

A financial institution is evaluating its IT governance structure. Which of the following roles is BEST suited to ensure independent oversight of IT investments?

A

Chief Information Officer (CIO)

B

Project Management Office (PMO) director

C

IT Audit Committee

An independent audit committee provides objective oversight.

D

Chief Information Security Officer (CISO)

Why: The IT Audit Committee is the correct answer because it provides independent oversight of IT investments by operating outside of management's direct reporting structure. Unlike the CIO, PMO director, or CISO, who are all part of management and may have vested interests in project approvals or resource allocation, the IT Audit Committee reports to the board of directors and ensures that IT investments align with enterprise strategy, risk appetite, and regulatory requirements without bias.
Q5
hardFull explanation →

An organization is implementing a new ERP system. The project sponsor requests a change that will significantly increase project scope without additional budget. Which of the following is the BEST action for the project manager?

A

Accept the change and adjust the project timeline accordingly.

B

Initiate the formal change control process and escalate to the steering committee.

Proper change control ensures governance and stakeholder involvement.

C

Implement the change and inform the steering committee later.

D

Reject the change because it is outside the original scope.

Why: The project manager must follow the formal change control process to evaluate the impact of a scope change that lacks additional budget. Escalating to the steering committee is appropriate because they have the authority to approve or reject changes that affect project constraints, ensuring alignment with organizational governance and IT strategy.
Q6
easyFull explanation →

An IT manager needs to ensure that the organization's IT resources are used efficiently. Which of the following is the BEST metric to measure IT resource utilization?

A

System uptime percentage

B

Average server CPU utilization

Directly measures how efficiently computing resources are used.

C

Number of help desk tickets resolved per day

D

Percentage of projects completed on time

Why: Average server CPU utilization directly measures how much of the computing capacity is being consumed over time, making it the most relevant metric for assessing whether IT resources are being used efficiently. High or low CPU utilization can indicate over-provisioning, under-utilization, or potential performance bottlenecks, enabling the IT manager to optimize resource allocation.

Want more Governance and Management of IT practice?

Practice this domain
2

Domain 2: Information Systems Acquisition, Development and Implementation

All Information Systems Acquisition, Development and Implementation questions
Q1
mediumFull explanation →

A company is replacing its legacy on-premises ERP system with a cloud-based SaaS solution. The project manager is concerned about data migration risks. Which of the following is the BEST approach to mitigate data integrity issues during migration?

A

Perform data validation after migration

B

Use data transformation tools to convert formats

C

Implement data reconciliation reports post-migration

D

Run parallel processing and compare outputs

Enables side-by-side verification.

Why: Option D is correct because running parallel processing allows the legacy and new SaaS systems to operate simultaneously, enabling real-time comparison of outputs. This approach directly validates data integrity by detecting discrepancies during migration, not after, which is critical for ERP systems where transactional accuracy is paramount.
Q2
easyFull explanation →

An organization is developing a new customer portal. The development team wants to use an agile methodology. Which of the following is a key benefit of using agile for this project?

A

Continuous stakeholder feedback is incorporated

Agile emphasizes ongoing collaboration.

B

Detailed requirements are defined upfront

C

Documentation is minimized to save time

D

The entire system is delivered at once

Why: Agile methodologies emphasize iterative development with continuous stakeholder feedback, which is critical for a customer portal where user needs evolve. This ensures the final product aligns with actual requirements, reducing rework and increasing satisfaction. Option A directly captures this core benefit.
Q3
hardFull explanation →

During the user acceptance testing (UAT) phase of a new financial application, the business users report that the system calculates interest incorrectly for certain loan types. The project manager wants to fix this quickly. Which of the following is the BEST course of action?

A

Instruct the business to work around the issue until the next release

B

Authorize the development team to fix the bug immediately and re-deploy

C

Roll back to the previous version of the application

D

Log the defect and perform impact analysis before approving a fix

Ensures proper change management.

Why: Option D is correct because in the UAT phase, any defect must be formally logged and subjected to impact analysis before a fix is approved. This ensures that the proposed change does not introduce new risks, break other functionality, or violate regulatory compliance—critical for a financial application handling interest calculations. Skipping this process could lead to cascading failures or audit findings.
Q4
mediumFull explanation →

An IT auditor is reviewing the system development life cycle (SDLC) process for a critical application. Which of the following findings would be of MOST concern?

A

Test data is refreshed from production monthly

B

Developers use local development environments

C

Developers have production database access

Violates segregation of duties.

D

Code reviews are performed by senior developers

Why: Developers having direct production database access violates the principle of segregation of duties and poses a significant risk of unauthorized data modification, deletion, or exfiltration. In a well-controlled SDLC, production access should be restricted to operations or DBA teams, with changes promoted through automated deployment pipelines. This finding directly undermines data integrity and confidentiality controls.
Q5
easyFull explanation →

When implementing a commercial off-the-shelf (COTS) software package, which of the following is the MOST important activity to ensure the software meets business requirements?

A

Conducting a vendor demonstration

B

Developing a project plan with milestones

C

Performing a gap analysis between requirements and software features

Directly addresses requirements coverage.

D

Reviewing the software's technical architecture

Why: Performing a gap analysis is the most important activity because it systematically maps each business requirement against the COTS software's delivered features, identifying any shortfalls that must be addressed through configuration, customization, or process adaptation. Without this structured comparison, the organization risks deploying software that fails to support critical business processes, leading to costly rework or project failure.
Q6
mediumFull explanation →

A company is implementing a new procurement system. The project team is considering using a rapid application development (RAD) methodology. Which of the following is a potential risk of using RAD?

A

Inadequate documentation

Speed can compromise documentation.

B

Reduced stakeholder involvement

C

Longer development time

D

Difficulty in prototyping

Why: RAD prioritizes speed and iterative prototyping over formal documentation. Because the focus is on quickly delivering working software through user feedback and short development cycles, comprehensive documentation is often neglected or produced after the fact, leading to inadequate records for maintenance, auditing, and compliance.

Want more Information Systems Acquisition, Development and Implementation practice?

Practice this domain
3

Domain 3: Information Systems Operations and Business Resilience

All Information Systems Operations and Business Resilience questions
Q1
mediumFull explanation →

An organization experiences a critical system failure during non-business hours. The IT team discovers that the last full backup was 48 hours ago, and the incremental backups for the past 24 hours are corrupted. The recovery time objective (RTO) for this system is 4 hours, and the recovery point objective (RPO) is 1 hour. Which of the following is the MOST immediate concern?

A

The backup schedule should be changed to daily full backups

B

The data loss may exceed the recovery point objective (RPO)

With corrupted incremental backups, data loss will be at least 48 hours, far exceeding the 1-hour RPO.

C

The root cause of the failure must be determined before recovery

D

The recovery time objective (RTO) of 4 hours will be exceeded

Why: The RPO of 1 hour means the organization can tolerate losing at most 1 hour of data. With the last full backup 48 hours old and incremental backups for the past 24 hours corrupted, the usable recovery point is at least 24 hours old, resulting in data loss far exceeding the 1-hour RPO. This gap between actual and acceptable data loss is the most immediate concern because it directly violates the business continuity requirement.
Q2
hardFull explanation →

An IT auditor is reviewing the business continuity plan (BCP) for a financial services firm. The plan includes a hot site that is shared with another organization under a reciprocal agreement. Which of the following findings should be of MOST concern to the auditor?

A

The hot site uses a different internet service provider than the primary site

B

The hot site has not been tested in the past 12 months

C

The reciprocal agreement does not guarantee exclusive use of the hot site during a disaster

If both organizations activate simultaneously, the hot site may not have sufficient capacity for both.

D

The hot site is located in the same seismic zone as the primary site

Why: Option C is correct because a reciprocal agreement for a shared hot site does not guarantee exclusive access during a disaster. If both organizations declare a disaster simultaneously, the site may become oversubscribed, leading to resource contention and potential failure of the BCP. This directly undermines the recovery capability, making it the most critical finding.
Q3
easyFull explanation →

A company is designing its backup strategy for a critical database that must be available 24/7. The database experiences high transaction volumes. Which backup method minimizes data loss while allowing continuous operations?

A

Offline full backup performed weekly

B

Differential backup performed daily

C

Online backup with transaction log backups

Online backups run while the database is active, and transaction logs allow point-in-time recovery with minimal data loss.

D

Full backup performed during low-usage periods

Why: Online backup with transaction log backups (Option C) is correct because it allows the database to remain fully operational (24/7 availability) while capturing every committed transaction in the transaction log. In the event of a failure, you can restore the most recent full backup and then apply all subsequent transaction log backups to recover to the exact point of failure, minimizing data loss to only uncommitted transactions.
Q4
hardFull explanation →

During an incident response exercise, the IT team discovers that the failover to the disaster recovery (DR) site failed because the DR site's storage area network (SAN) was not zoned correctly for the replicated data. Which of the following controls would BEST prevent this issue?

A

Maintaining a configuration management database (CMDB)

B

Implementing a change management process for SAN configurations

C

Using automated replication monitoring tools

D

Conducting regular disaster recovery testing including full failover

Regular testing validates that all components work together, including SAN zoning.

Why: Option D is correct because regular disaster recovery testing that includes a full failover is the only control that directly validates that the DR site's SAN zoning is correctly configured to accept replicated data. Without such testing, misconfigurations like incorrect zone sets or missing WWPN (World Wide Port Name) mappings in the SAN fabric remain undetected until an actual failover is attempted. This aligns with the CISA emphasis on testing recovery procedures to ensure business continuity.
Q5
mediumFull explanation →

A company's backup policy requires that backup tapes be stored offsite for at least one year. During an audit, the auditor finds that the offsite storage facility is not access-controlled and backup tapes are not encrypted. Which of the following is the auditor's BEST recommendation?

A

Negotiate a new contract with a different offsite storage provider

B

Move the tapes back to the primary site until the offsite facility is secured

C

Implement a check-in/check-out log for the offsite facility

D

Encrypt all backup tapes before sending them offsite

Encryption mitigates the risk of unauthorized access to data on the tapes.

Why: The core issue is that backup tapes contain sensitive data and are stored in an uncontrolled environment. Encrypting the tapes before transport ensures that even if the physical security of the offsite facility is compromised, the data remains confidential. This directly addresses the risk of unauthorized access to the data, which is the primary concern, and is a cost-effective, immediate control that does not disrupt operations.
Q6
easyFull explanation →

An organization is implementing a business continuity plan (BCP). Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA)?

A

To document the step-by-step recovery procedures for each system

B

To identify potential threats and vulnerabilities to the organization

C

To inventory all IT assets and their configurations

D

To identify critical business processes and their recovery time objectives (RTOs)

BIA helps prioritize processes and define RTOs and RPOs.

Why: The primary purpose of a business impact analysis (BIA) is to identify critical business processes and quantify the impact of their disruption, which directly drives the recovery time objectives (RTOs) and recovery point objectives (RPOs). These RTOs and RPOs form the foundation for selecting appropriate recovery strategies and technologies, such as synchronous replication for near-zero RPO or warm standby sites for specific RTO windows. Without a BIA, the BCP would lack the business-driven metrics needed to prioritize recovery efforts and allocate resources effectively.

Want more Information Systems Operations and Business Resilience practice?

Practice this domain
4

Domain 4: Protection of Information Assets

All Protection of Information Assets questions
Q1
mediumFull explanation →

An organization is implementing a data loss prevention (DLP) solution. Which of the following is the BEST approach to reduce false positives during initial deployment?

A

Use default policies without modification

B

Limit scope to one department to minimize noise

C

Deploy in monitor-only mode and analyze alerts for a period

Monitor-only mode allows policy tuning without impact.

D

Block all sensitive data transmissions immediately

Why: Deploying a DLP solution in monitor-only mode allows the organization to observe what data is being transmitted and generate alerts without blocking any traffic. This enables security teams to analyze the alerts against actual business workflows, fine-tune policies, and eliminate false positives before moving to an active enforcement mode. It is a best practice for initial deployment to avoid disrupting legitimate business operations.
Q2
hardFull explanation →

During an audit, an IS auditor finds that the organization uses a cloud-based identity provider (IdP) for single sign-on (SSO) but does not enforce multi-factor authentication (MFA) for all users. Which of the following is the BEST recommendation to reduce risk?

A

Require MFA only for external-facing applications

B

Disable SSO and require separate passwords for each application

C

Reduce session timeout to 15 minutes

D

Enforce MFA for all users accessing any application

Comprehensive MFA reduces risk of unauthorized access.

Why: Enforcing MFA for all users accessing any application is the best recommendation because it directly addresses the lack of a second authentication factor, which is the primary control to mitigate credential theft and unauthorized access. In a cloud-based IdP SSO environment, a single compromised password grants access to all integrated applications, so MFA must be applied universally to protect the entire trust boundary, not just external-facing apps. This aligns with NIST SP 800-63B and zero-trust principles, ensuring that every authentication request is verified with something the user knows and something they have.
Q3
easyFull explanation →

An organization has implemented role-based access control (RBAC). Which of the following is the PRIMARY benefit of RBAC?

A

Simplified user permission management

RBAC streamlines access control administration.

B

Encryption of sensitive data at rest

C

Elimination of compliance requirements

D

Improved protection against malware

Why: RBAC simplifies user permission management by assigning permissions to roles rather than individuals, allowing administrators to grant or revoke access by modifying role memberships. This reduces administrative overhead and the risk of permission errors, as changes propagate automatically to all users in a role. The primary benefit is operational efficiency in access control, not direct security features like encryption or malware protection.
Q4
mediumFull explanation →

An IS auditor is reviewing an organization's data classification policy. Which of the following findings is MOST critical?

A

Employees receive data classification training only once per year

B

Data classification is performed manually without automated tools

C

Sensitive data is not encrypted at rest

D

Data owners have not been identified for most data assets

Without data owners, classification cannot be enforced.

Why: Without identified data owners, no one is accountable for classifying, protecting, or granting access to data assets. This foundational gap undermines the entire data classification policy, making it impossible to enforce controls like encryption or access reviews. The CISA emphasizes that data owner assignment is the first step in any data governance framework.
Q5
hardFull explanation →

A company is implementing a privileged access management (PAM) system. Which of the following is the MOST important control to prevent lateral movement after a privileged account is compromised?

A

Implement just-in-time (JIT) privilege elevation

JIT reduces exposure time.

B

Enforce multi-factor authentication for all privileged accounts

C

Monitor and record all privileged sessions

D

Rotate passwords after each use

Why: Just-in-time (JIT) privilege elevation is the most important control to prevent lateral movement because it eliminates standing privileged access. By granting temporary, time-bound privileges only when needed, JIT reduces the attack surface and ensures that even if an attacker compromises a privileged account, they cannot use those credentials to move laterally to other systems after the access window expires. This directly addresses the root cause of lateral movement: persistent privileged credentials that can be reused across the network.
Q6
easyFull explanation →

An organization wants to ensure that data is not retained longer than necessary. Which of the following is the BEST control to implement?

A

Encrypt all data at rest

B

Implement a backup retention policy

C

Use role-based access controls

D

Define and enforce data retention schedules

Retention schedules ensure data is deleted when no longer needed.

Why: Defining and enforcing data retention schedules directly addresses the requirement to not retain data longer than necessary by specifying precise timeframes for data deletion or archival. This control ensures compliance with legal, regulatory, and business needs by automating the lifecycle management of data, such as through expiration policies in object storage (e.g., S3 Lifecycle rules) or database TTL (time-to-live) settings. Without such schedules, data may persist indefinitely, increasing storage costs and regulatory risk.

Want more Protection of Information Assets practice?

Practice this domain
5

Domain 5: Information System Auditing Process

All Information System Auditing Process questions
Q1
mediumFull explanation →

An IS auditor is reviewing a change management process. A developer made an emergency change directly to production without following the standard change approval process. The change was later documented as a normal change. Which control weakness is MOST indicated by this scenario?

A

Inadequate segregation of duties between development and production environments

Direct production access by developers violates segregation of duties.

B

Absence of a rollback plan for emergency changes

C

Insufficient testing of emergency changes before deployment

D

Lack of a formal change documentation policy

Why: The developer bypassed the standard change approval process by making an emergency change directly to production, then retroactively documenting it as a normal change. This directly violates the principle of segregation of duties (SoD), as the same individual who implemented the change also controlled the documentation and approval trail, eliminating independent oversight. In a properly segregated environment, developers should not have direct write access to production systems without a separate change authorization and deployment step.
Q2
hardFull explanation →

Based on the exhibit, what should the IS auditor MOST likely recommend?

A

Investigate whether any changes are missing from the log

B

Immediately block all direct production access for developers

C

Require all changes to go through the standard approval process

D

Review the criteria for emergency changes and enforce proper classification

The high number of post-approved emergency changes suggests the process is being bypassed.

Why: The exhibit shows changes classified as 'emergency' bypassing the standard approval process. The IS auditor's primary concern is that emergency changes may be misclassified to avoid proper review, increasing risk. Option D is correct because it addresses the root cause: reviewing the criteria for emergency changes and enforcing proper classification ensures that only truly urgent changes bypass standard controls, while all others follow the required approval path.
Q3
easyFull explanation →

An IS auditor is evaluating the effectiveness of an organization's business continuity plan (BCP). Which of the following findings would be of GREATEST concern?

A

The backup tapes are stored in a locked cabinet in the server room

B

The BCP contact list has not been updated in six months

C

The BCP has not been tested in over two years

Lack of testing means the plan may fail in a disaster.

D

The BCP relies on manual workarounds for critical systems

Why: The BCP has not been tested in over two years is the greatest concern because testing is the only way to validate that the plan works under real-world conditions. Without recent testing, the organization cannot be confident that recovery time objectives (RTOs) and recovery point objectives (RPOs) are achievable, and any gaps or assumptions in the plan remain undiscovered. ISACA standards recommend testing at least annually, and a two-year gap significantly increases the risk of plan failure during an actual disaster.
Q4
mediumFull explanation →

During an audit of a financial application, the IS auditor discovers that user access reviews are performed quarterly instead of monthly as required by policy. Which of the following is the BEST initial action for the auditor?

A

Recommend that the policy be changed to allow quarterly reviews

B

Report the noncompliance with the policy as a finding immediately

C

Escalate the issue to senior management for immediate resolution

D

Determine if compensating controls mitigate the risk of less frequent reviews

Compensating controls may make quarterly reviews acceptable.

Why: The IS auditor's primary role is to assess risk, not to enforce policy blindly. Quarterly reviews may still be acceptable if compensating controls (e.g., automated provisioning/deprovisioning, real-time monitoring, or role-based access controls) effectively reduce the risk of unauthorized access between reviews. Determining the presence and effectiveness of such controls is the best initial action before deciding whether to report noncompliance.
Q5
hardFull explanation →

Based on the exhibit, the IS auditor is reviewing access to the payroll folder. Which of the following is the MOST significant finding?

A

Internal_Audit group has Read access to payroll data

B

User asmith has only Read access to payroll

C

HR_Managers group has Full Control over payroll

D

Potential excessive privileges for user jdoe due to overlapping permissions

Overlapping permissions may grant unintended access.

Why: Option D is the most significant finding because user jdoe has overlapping permissions from multiple group memberships (e.g., HR_Managers and Payroll_Admin), which can result in unintended cumulative effective permissions. In Windows NTFS, effective permissions are the sum of all allowed permissions from each group, minus any explicit denies, so overlapping group memberships often grant more access than intended, violating the principle of least privilege.
Q6
mediumFull explanation →

Which TWO of the following are the MOST effective controls to prevent unauthorized changes to production data?

A

Requiring change management approval for all production changes

Ensures changes are authorized before implementation.

B

Enforcing segregation of duties between development and production

Prevents unauthorized changes by separating roles.

C

Implementing audit logging of all data changes

D

Encrypting production data at rest

E

Using automated testing for all code changes

Why: Requiring change management approval for all production changes is a preventive control that ensures every modification to production data is formally authorized, reviewed, and documented before implementation. This directly prevents unauthorized changes by enforcing a gatekeeping process where only approved changes proceed, reducing the risk of data integrity breaches. Without this control, even with other safeguards, an attacker or insider could bypass technical controls by simply requesting a change through official channels.

Want more Information System Auditing Process practice?

Practice this domain

Frequently asked questions

How many questions are on the CISA exam?

The CISA exam has 150 questions and must be completed in 240 minutes. The passing score is 450/1000.

What types of questions appear on the CISA exam?

Multiple-choice scenario questions on IS audit processes, IT governance, systems acquisition, operations, and information asset protection.

How are CISA questions organised by domain?

The exam covers 5 domains: Governance and Management of IT, Information Systems Acquisition, Development and Implementation, Information Systems Operations and Business Resilience, Protection of Information Assets, Information System Auditing Process. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual CISA exam questions?

No. These are original exam-style practice questions written against the official ISACA CISA exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 150 CISA questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all CISA questionsTake a timed practice test