Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Information Systems Operations and Business Resilience practice sets

CISA Information Systems Operations and Business Resilience • Complete Question Bank

CISA Information Systems Operations and Business Resilience — All Questions With Answers

Complete CISA Information Systems Operations and Business Resilience question bank — all 0 questions with answers and detailed explanations.

114
Questions
Free
No signup
Certifications/CISA/Practice Test/Information Systems Operations and Business Resilience/All Questions
Question 1easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization is implementing a new incident management process aligned with ITIL. The IT team discovers a critical system is down, affecting all users. According to ITIL, what severity level should be assigned to this incident?

Question 2mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

During a change advisory board (CAB) meeting, a proposed change to the database server is discussed. The change involves implementing a security patch that requires a reboot. The change is categorized as 'normal' and has been risk-assessed as low impact. What is the most likely role of the CAB in this scenario?

Question 3hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization's backup strategy includes daily incremental backups and weekly full backups. During a disaster recovery test, the restoration of a critical server fails because a required incremental backup is corrupt. Which control should the organization implement to verify the integrity of backups?

Question 4easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

In business continuity planning, a company identifies a critical business process with a maximum tolerable downtime (MTD) of 4 hours. What is the primary purpose of this metric?

Question 5mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An IT auditor is reviewing the change management process for a financial institution. The auditor finds that emergency changes are frequently approved by the change manager without CAB review. Which risk is most associated with this practice?

Question 6mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

A company outsources its IT help desk to a third-party vendor. The service level agreement (SLA) specifies that all P1 incidents must be resolved within 2 hours. During an audit, the auditor finds that the vendor’s average resolution time for P1 incidents is 3 hours. What is the most appropriate recommendation?

Question 7hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

During a business impact analysis (BIA), a department manager states that their process can be disrupted for up to 8 hours, but data loss cannot exceed 15 minutes. Which two metrics are defined by these statements?

Question 8easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization uses automated job scheduling for nightly batch processing. One job fails due to a missing dependency file. What is the most effective control to prevent recurrence?

Question 9mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization is implementing a disaster recovery plan. The DR team wants to test the plan with minimal risk and without impacting production operations. Which type of test is most appropriate?

Question 10hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

A company uses a RAID 5 array for its file server. One disk fails, and the system continues to operate. However, during the rebuild process, a second disk fails. What is the likely consequence?

Question 11mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An auditor is reviewing IT asset management processes. The auditor finds that several servers running an older operating system are still in production, even though the vendor has ended support. What is the primary risk associated with this finding?

Question 12hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

A company's availability monitoring shows that a critical application has an average MTBF of 720 hours and an average MTTR of 4 hours. What is the availability percentage?

Question 13mediummulti select
Read the full Information Systems Operations and Business Resilience explanation →

An organization is developing a business continuity strategy for its key customer-facing application. The BIA determined an RTO of 2 hours and an RPO of 30 minutes. Which TWO strategies are most appropriate to meet these objectives?

Question 14hardmulti select
Read the full Information Systems Operations and Business Resilience explanation →

During a vendor audit, an IS auditor discovers that a cloud service provider uses subcontractors to manage data storage. The contract does not mention subcontracting. Which THREE risks should the auditor highlight to management?

Question 15easymulti select
Read the full Information Systems Operations and Business Resilience explanation →

An organization is implementing a new release management process. Which TWO activities are essential components of a successful release?

Question 16easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization has defined an SLA that requires critical incidents to be resolved within 4 hours. A P1 incident is reported at 10:00 AM. At what time must the incident be resolved to meet the SLA?

Question 17mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

During a recent audit, the IT auditor found that the problem management process does not include a known error database (KEDB). Which of the following is the MOST significant risk associated with this finding?

Question 18mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization uses a standard change model for low-risk, pre-approved changes. Which of the following is an example of a standard change?

Question 19hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing the change management process and notices that several emergency changes were implemented without post-implementation review. What is the PRIMARY concern?

Question 20mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization's backup strategy includes full backups every Sunday and incremental backups on other days. On Wednesday, a failure occurs. Which backups are needed to restore the data?

Question 21easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

Which of the following backup types copies only data that has changed since the last full backup?

Question 22hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An IT auditor is evaluating the capacity management process. Which of the following findings would be of MOST concern?

Question 23mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

A system has a Mean Time Between Failures (MTBF) of 200 hours and a Mean Time To Repair (MTTR) of 20 hours. What is the availability of the system?

Question 24mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization is conducting a Business Impact Analysis (BIA). Which of the following metrics defines the maximum acceptable outage time for a critical business process?

Question 25hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

During a disaster recovery test, the IS auditor observes that the alternate site uses a warm site configuration. Which of the following is a characteristic of a warm site?

Question 26easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

Which type of disaster recovery test involves a full switch-over from the primary site to the alternate site, resulting in actual disruption of normal operations?

Question 27mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization outsources its IT help desk to a third-party vendor. Which clause is MOST important for the IS auditor to verify in the contract to ensure the organization can assess the vendor's controls?

Question 28mediummulti select
Read the full Information Systems Operations and Business Resilience explanation →

Which TWO of the following are key considerations when managing software licenses in an organization? (Select TWO).

Question 29hardmulti select
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing the end-of-life (EOL) software policy. Which THREE risks are associated with running unsupported software? (Select THREE).

Question 30mediummulti select
Read the full Information Systems Operations and Business Resilience explanation →

Which TWO of the following are important controls for managing cloud resources to prevent cost overruns? (Select TWO).

Question 31mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization classifies IT incidents based on severity. A critical financial application is unavailable, impacting all users. According to ITIL best practices, which severity level should this incident be assigned?

Question 32easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

During a change management board (CAB) meeting, a proposed change to the network firewall configuration is discussed. The change is considered low risk and pre-approved. Which type of change does this represent?

Question 33mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An IT auditor is reviewing the problem management process. The IT team maintains a repository of known errors with documented workarounds. Which component of problem management is this?

Question 34hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization uses automated job scheduling for batch processing. A critical payroll job fails due to a dependency on a prior job that did not complete. The job scheduler is configured to handle dependencies. What should the auditor verify regarding rerun procedures?

Question 35mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

A company performs daily full backups of its database and weekly incremental backups. The backup retention policy requires keeping full backups for 30 days and incremental backups for 7 days. An auditor reviews the backup schedule. Which backup type provides the fastest restore?

Question 36hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization's backup strategy includes taking full backups weekly and transactional log backups every 15 minutes. The auditor wants to verify that backup encryption is implemented for offsite storage. Which control is most relevant?

Question 37easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An IT auditor is reviewing capacity management. The server team monitors CPU utilization and disk space. They receive alerts when thresholds are exceeded. Which practice is most effective for proactive capacity planning?

Question 38mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization's availability management team reports that a critical server has an MTBF of 720 hours and an MTTR of 4 hours. What is the availability percentage for this server?

Question 39mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

During a business impact analysis (BIA), the auditor identifies a critical process with a maximum tolerable downtime (MTD) of 4 hours. The IT department proposes a recovery time objective (RTO) of 2 hours and a recovery point objective (RPO) of 1 hour. Which statement is correct?

Question 40hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization is selecting a disaster recovery (DR) site. The primary data center is located in a region prone to earthquakes. The DR site should be at a sufficient distance to avoid the same disaster. Which type of alternate site provides the best balance of cost and recovery time for a medium-sized organization?

Question 41easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An IT auditor is reviewing the business continuity plan (BCP) testing schedule. The organization conducts a test where participants discuss their roles and responses to a scenario without any actual system activation. Which type of test is this?

Question 42mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization outsources its help desk to a third-party vendor. The contract includes a service level agreement (SLA) with response times. The auditor wants to ensure that the organization can monitor vendor performance. Which clause is most important?

Question 43mediummulti select
Read the full Information Systems Operations and Business Resilience explanation →

An IT auditor is reviewing the asset management process for hardware lifecycle. Which two controls should the auditor verify to ensure secure disposition of decommissioned servers?

Question 44hardmulti select
Read the full Information Systems Operations and Business Resilience explanation →

An organization is implementing a cloud resource management strategy to optimize costs and prevent waste. Which three practices should the auditor recommend?

Question 45mediummulti select
Read the full Information Systems Operations and Business Resilience explanation →

An organization is performing software asset management (SAM) to ensure license compliance. Which two activities should the auditor verify?

Question 46easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization has defined an RTO of 4 hours for its critical financial system. During a disaster recovery test, the system was recovered in 3.5 hours, but data loss was 30 minutes. Which metric is most directly addressed by the recovery time?

Question 47mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

During a change management review, an IS auditor discovers that a recent database upgrade was implemented without prior approval from the Change Advisory Board (CAB) because it was classified as a 'standard change.' However, the change involved migrating to a new database version that required application code modifications. What should concern the auditor most?

Question 48mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization outsources its data center operations to a third-party vendor. The contract includes a right-to-audit clause. During a scheduled audit, the vendor refuses to provide access to logs from a subcontractor managing network security. What is the IS auditor's best course of action?

Question 49hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing the incident management process. Incidents are categorized as P1 (critical) through P4 (low). The SLA for P1 incidents requires initial response within 15 minutes and resolution within 4 hours. The auditor notes that the average time to respond to P1 incidents is 12 minutes, but the average resolution time is 6 hours. The root cause analysis shows that many P1 incidents are due to known errors documented in the known error database (KEDB). What is the most significant finding?

Question 50easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

Which backup method copies all data that has changed since the last full backup, regardless of subsequent incremental backups, and is often used to reduce restore time?

Question 51mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization uses automated job scheduling with dependency management. A critical nightly batch job failed because a prerequisite job did not complete successfully. The job scheduler automatically attempted to rerun the failed job three times, each time failing due to the same dependency. The operations team was not alerted until the next morning. What control should the auditor recommend to improve this process?

Question 52mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

During a business impact analysis (BIA), the IS auditor identifies that the maximum tolerable downtime (MTD) for an online payment system is 2 hours, and the recovery point objective (RPO) is 15 minutes. The current disaster recovery solution uses nightly backups (12-hour RPO) and can restore the system in 4 hours. Which risk is most critical?

Question 53hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing the release management process for a critical application. The release strategy includes a phased rollout to 10% of users initially, then 50%, then 100%. The first phase revealed a data integrity issue that affected a subset of transactions. The release manager decided to continue with the next phase while a patch was being developed. What should the auditor most recommend?

Question 54easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

Which type of disaster recovery test involves actually switching over to the alternate site and processing live transactions, but does not require the primary site to be shut down?

Question 55hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization uses a cloud-based CRM system. The asset management team has implemented tagging to track resource costs by department. During an audit, the IS auditor finds that several orphaned resources (e.g., virtual machines, storage volumes) exist that are not tagged and have been running for months. The cloud service provider's cost allocation report shows these resources under a default account. What is the most significant risk associated with this finding?

Question 56mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing the capacity management process for a server hosting a critical application. The server's CPU utilization has been consistently above 90% for the past three months, and memory usage is at 85%. There are no threshold alerts configured. The capacity plan shows that additional resources are scheduled to be added in six months. What should the auditor most recommend?

Question 57hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization's IT service desk is the single point of contact for all incidents. The SLA for resolving P2 incidents is 8 hours. The auditor finds that the service desk frequently reassigns P2 incidents to second-level support without updating the incident record, causing delays in resolution. The average resolution time for P2 incidents is 10 hours. What is the primary control weakness?

Question 58mediummulti select
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing the vendor management program for a critical outsourced service. The vendor has recently been acquired by another company. Which TWO factors should the auditor be most concerned about regarding the acquisition?

Question 59hardmulti select
Read the full Information Systems Operations and Business Resilience explanation →

During a disaster recovery planning audit, the IS auditor notes that the organization's plan includes a hot standby site. However, the plan has not been updated in two years, and the last test was a tabletop exercise 18 months ago. The organization has recently implemented a new ERP system. Which THREE findings should the auditor report as most significant?

Question 60mediummulti select
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing the software asset management (SAM) process. The organization uses a mix of commercial off-the-shelf (COTS) and open-source software. The auditor finds that several servers are running end-of-life (EOL) operating systems that are no longer patched. Which TWO risks are most directly associated with this finding?

Question 61easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization's IT service desk categorizes incidents based on severity levels. A P1 incident is defined as a critical system outage affecting all users. Which of the following is the MOST appropriate target for the initial response time for a P1 incident?

Question 62mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

During a problem management meeting, the team identifies a recurring issue causing multiple incidents. The root cause is known, but a permanent fix is not yet available. Which of the following is the BEST approach to manage this situation until a permanent fix is implemented?

Question 63hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization is implementing a change management process. A change that requires approval from the Change Advisory Board (CAB) but is scheduled to be implemented during the next maintenance window is classified as which type of change?

Question 64mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An IT auditor is reviewing the release management process. Which of the following is the MOST important control to ensure that new releases do not negatively impact production systems?

Question 65easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

Which of the following is the PRIMARY purpose of a service desk?

Question 66mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization uses automated job scheduling for batch processing. A critical job fails due to a dependency on another job that has not completed. Which of the following controls would BEST prevent this issue?

Question 67mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An IT auditor is reviewing backup procedures. The organization performs daily full backups and retains them for 30 days. Additionally, weekly backups are retained for 12 months. Which of the following is the MOST likely risk associated with this backup strategy?

Question 68hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

A system has a Mean Time Between Failures (MTBF) of 500 hours and a Mean Time To Repair (MTTR) of 20 hours. What is the availability of the system?

Question 69mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

During a business impact analysis (BIA), which of the following is the MOST important metric to identify for each critical business process?

Question 70hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization is selecting an alternate site for disaster recovery. The site must have sufficient equipment to resume operations within a few hours, and the organization is willing to share the site with another business. Which type of alternate site is MOST appropriate?

Question 71easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

Which of the following disaster recovery test types involves a full switch-over to the alternate site, resulting in actual disruption to normal operations?

Question 72mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization outsources its data center operations to a third-party provider. Which of the following is the MOST important clause to include in the contract to ensure the organization can verify the provider's controls?

Question 73hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

During a software asset management (SAM) audit, it is discovered that the organization is using software that has reached end-of-life. Which of the following is the MOST significant risk associated with this situation?

Question 74mediummulti select
Read the full Information Systems Operations and Business Resilience explanation →

An IT auditor is reviewing the capacity management process. Which TWO of the following are key activities that should be performed?

Question 75hardmulti select
Read the full Information Systems Operations and Business Resilience explanation →

An organization is developing a business continuity strategy. Which THREE of the following are essential components of a comprehensive BC strategy?

Question 76easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization is implementing a new incident management process based on ITIL. An incident classified as P1 (Priority 1) occurs. According to ITIL best practices, what is the most appropriate initial action?

Question 77mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

During a change management process review, an IS auditor finds that the change advisory board (CAB) approved a change that subsequently caused a major service outage. The change was classified as 'normal' with no emergency. What is the auditor's primary concern?

Question 78hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing automated job scheduling controls. A critical batch job failed due to a dependency on a previous job that had not completed. The system did not alert operations staff. Which control weakness is most significant?

Question 79easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization performs daily full backups of its critical database. The recovery time objective (RTO) is 4 hours. During a disaster, it takes 6 hours to restore the database. What is the most likely cause?

Question 80mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is evaluating the capacity management process. The auditor notices that CPU utilization has been consistently above 90% for the past three months. The IT manager states that no proactive capacity planning has been performed. What is the primary risk?

Question 81mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization's business continuity plan (BCP) includes alternate facilities that can be operational within 24 hours. The maximum tolerable downtime (MTD) for a critical process is 12 hours. What is the most significant gap?

Question 82hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization has a disaster recovery plan that includes a hot site. During a full interruption test, the recovery team discovers that the hot site's network configuration is incompatible with the production environment. What is the most likely root cause?

Question 83easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization is negotiating a contract with a cloud service provider. Which clause is most important for the IS auditor to ensure is included?

Question 84mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

During a software asset management (SAM) audit, the IS auditor discovers that the organization is using software versions that are no longer supported by the vendor. What is the primary risk?

Question 85hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization uses a third-party vendor for application support. The vendor has subcontracted some support activities to another firm (fourth party). The contract with the vendor requires the vendor to ensure fourth-party compliance, but there is no direct oversight. What is the IS auditor's primary recommendation?

Question 86mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing the availability management process. The auditor calculates that the mean time between failures (MTBF) is 200 hours and the mean time to repair (MTTR) is 20 hours. What is the availability percentage?

Question 87hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization is disposing of old servers. The IS auditor reviews the asset disposition process and finds that hard drives are being erased using a standard format command. What is the auditor's primary concern?

Question 88easymulti select
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing the backup process for a critical database. Which TWO of the following are essential controls to ensure data recoverability?

Question 89mediummulti select
Read the full Information Systems Operations and Business Resilience explanation →

An organization is developing a business continuity strategy. According to best practices, which THREE of the following should be included in the strategy?

Question 90hardmulti select
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing change management for a financial application. Which TWO of the following findings would most likely indicate a control weakness?

Question 91mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization is implementing an automated job scheduling system. Which of the following is the PRIMARY benefit of using dependency management in job scheduling?

Question 92hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing a backup strategy that includes daily full backups and weekly offsite storage. The recovery time objective (RTO) for a critical application is 4 hours. Which of the following findings would be of GREATEST concern?

Question 93easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

Question 94mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization uses a hot site as its disaster recovery alternative. Which of the following is the MOST critical consideration when selecting a hot site?

Question 95mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

During a change management audit, an IS auditor finds that a critical system change was approved by the change manager without a CAB meeting. The change was categorized as a standard change. Which of the following should the auditor do FIRST?

Question 96hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization has an availability requirement of 99.99% for its online transaction processing system. The system's MTBF is 720 hours. What is the maximum allowable MTTR to meet this requirement?

Question 97easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

Which of the following is the PRIMARY benefit of conducting a tabletop exercise for disaster recovery?

Question 98mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing a third-party service provider's controls. Which of the following is the MOST important clause to include in the contract to ensure the auditor can assess the provider's controls?

Question 99mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization uses RAID 5 for its database server. Which of the following is the PRIMARY advantage of RAID 5?

Question 100hardmultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

During an audit of IT asset management, the IS auditor finds that several servers are running an operating system that has reached end-of-life (EOL). The organization has not deployed any compensating controls. Which of the following is the GREATEST risk?

Question 101easymultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

In ITIL incident management, which severity level typically indicates a critical incident that severely impacts business operations and requires immediate resolution?

Question 102mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization is implementing a software asset management (SAM) program. Which of the following is the PRIMARY benefit of SAM?

Question 103mediummulti select
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing a business continuity plan (BCP). Which TWO of the following are key components of the business continuity strategy? (Select two.)

Question 104hardmulti select
Read the full Information Systems Operations and Business Resilience explanation →

An organization is planning a full interruption test of its disaster recovery plan. Which THREE of the following should the IS auditor recommend as best practices for this type of test? (Select three.)

Question 105easymulti select
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing problem management processes. Which TWO of the following are key outputs of effective problem management? (Select two.)

Question 106mediummultiple choice
Read the full Information Systems Operations and Business Resilience explanation →

An organization has implemented a business continuity plan (BCP) and disaster recovery plan (DRP). During a recent full interruption test, the IT team discovered that the recovery time objective (RTO) for a critical application was not met. What is the MOST likely reason for this failure?

Question 107easymulti select
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing the ITIL incident management process. Which TWO are the correct priority levels and their typical definitions?

Question 108mediummulti select
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing backup procedures for a critical database. Which THREE are key considerations for ensuring backup reliability and recoverability?

Question 109hardmulti select
Read the full Information Systems Operations and Business Resilience explanation →

An organization is implementing a change management process based on ITIL. Which THREE change types should be included in the policy?

Question 110easymulti select
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is assessing the vendor management process. Which TWO are key controls for managing third-party risk?

Question 111mediummulti select
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing the business impact analysis (BIA) for a financial services company. Which THREE metrics are typically defined in a BIA?

Question 112hardmulti select
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is evaluating the release management process for a software application. Which TWO are essential components of a successful release plan?

Question 113mediummulti select
Read the full Information Systems Operations and Business Resilience explanation →

An IS auditor is reviewing capacity management practices. Which TWO indicators suggest that proactive capacity management is being performed effectively?

Question 114hardmulti select
Read the full Information Systems Operations and Business Resilience explanation →

An organization uses a cloud service provider (CSP) for critical applications. The IS auditor is reviewing the contract for vendor concentration risk. Which TWO clauses are MOST relevant to mitigating this risk?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISA Practice Test 1 — 25 Questions→CISA Practice Test 2 — 25 Questions→CISA Practice Test 3 — 25 Questions→CISA Practice Test 4 — 25 Questions→CISA Practice Test 5 — 25 Questions→CISA Practice Exam 1 — 20 Questions→CISA Practice Exam 2 — 20 Questions→CISA Practice Exam 3 — 20 Questions→CISA Practice Exam 4 — 20 Questions→Free CISA Practice Test 1 — 30 Questions→Free CISA Practice Test 2 — 30 Questions→Free CISA Practice Test 3 — 30 Questions→CISA Practice Questions 1 — 50 Questions→CISA Practice Questions 2 — 50 Questions→CISA Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Governance and Management of ITInformation Systems Acquisition, Development and ImplementationInformation Systems Operations and Business ResilienceInformation System Auditing ProcessInformation Systems Acquisition, Development, and ImplementationProtection of Information Assets

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Information Systems Operations and Business Resilience setsAll Information Systems Operations and Business Resilience questionsCISA Practice Hub