Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Governance and Management of IT practice sets

CISA Governance and Management of IT • Complete Question Bank

CISA Governance and Management of IT — All Questions With Answers

Complete CISA Governance and Management of IT question bank — all 0 questions with answers and detailed explanations.

111
Questions
Free
No signup
Certifications/CISA/Practice Test/Governance and Management of IT/All Questions
Question 1mediummultiple choice
Read the full Governance and Management of IT explanation →

A large enterprise recently experienced a data breach due to an insider threat. The IT governance committee is reviewing the incident and considering measures to prevent recurrence. Which of the following is the BEST course of action to address the root cause?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is adopting a hybrid cloud strategy. The IT governance board must decide on a framework to ensure alignment with business objectives and regulatory compliance. Which framework is MOST appropriate?

Question 3easymultiple choice
Read the full Governance and Management of IT explanation →

An organization's IT strategy must be aligned with business strategy. Which of the following is the PRIMARY benefit of this alignment?

Question 4mediummultiple choice
Read the full Governance and Management of IT explanation →

A financial institution is evaluating its IT governance structure. Which of the following roles is BEST suited to ensure independent oversight of IT investments?

Question 5hardmultiple choice
Read the full Governance and Management of IT explanation →

An organization is implementing a new ERP system. The project sponsor requests a change that will significantly increase project scope without additional budget. Which of the following is the BEST action for the project manager?

Question 6easymultiple choice
Read the full Governance and Management of IT explanation →

An IT manager needs to ensure that the organization's IT resources are used efficiently. Which of the following is the BEST metric to measure IT resource utilization?

Question 7mediummultiple choice
Read the full Governance and Management of IT explanation →

A company's IT governance policy requires that all critical systems have a documented business continuity plan (BCP). During an audit, an IT auditor finds that the BCP for a critical financial system has not been updated in three years. Which of the following is the BEST recommendation?

Question 8easymultiple choice
Read the full Governance and Management of IT explanation →

Which of the following is the PRIMARY purpose of an IT governance framework?

Question 9hardmultiple choice
Read the full Governance and Management of IT explanation →

An organization has implemented a new IT service management (ITSM) tool. The IT manager wants to measure the effectiveness of incident management. Which metric is MOST appropriate?

Question 10mediummulti select
Read the full Governance and Management of IT explanation →

Which TWO of the following are key responsibilities of an IT steering committee?

Question 11hardmulti select
Read the full Governance and Management of IT explanation →

Which THREE of the following are components of a typical IT governance framework?

Question 12easymulti select
Read the full Governance and Management of IT explanation →

Which TWO of the following are benefits of implementing an IT governance framework?

Question 13hardmultiple choice
Read the full NAT/PAT explanation →

Scenario: A mid-sized manufacturing company has recently experienced a significant IT outage that halted production for 8 hours. The root cause was a failed firmware update on a core switch that was performed outside the change management process by a senior network engineer who claimed the update was urgent to patch a critical vulnerability. The company has a well-documented change management policy that requires all changes to be reviewed by the change advisory board (CAB) before implementation, except for emergency changes which require post-implementation review within 48 hours. The engineer did not follow the emergency change process; he implemented the update directly. The IT director wants to prevent such incidents in the future. Which of the following is the BEST action?

Question 14mediummultiple choice
Read the full NAT/PAT explanation →

Scenario: A healthcare organization is implementing a new electronic health records (EHR) system. The project has been delayed due to scope creep and resource constraints. The project sponsor is pressuring the project manager to accelerate the timeline by skipping user acceptance testing (UAT) and going live immediately. The organization has a governance policy that requires all IT projects to complete UAT before deployment. The project manager is concerned about quality and patient safety. Which of the following is the BEST course of action?

Question 15mediummultiple choice
Read the full NAT/PAT explanation →

An organization's IT department implemented a new change management process that requires all changes to be approved by a change advisory board (CAB). A critical security patch needs to be deployed within 2 hours to address an active zero-day vulnerability. The change request was submitted but the CAB is not scheduled to meet for another 24 hours. What is the BEST course of action?

Question 16hardmultiple choice
Read the full Governance and Management of IT explanation →

During an IT audit, the auditor discovers that the IT department has not conducted a business impact analysis (BIA) for three years. The organization's disaster recovery plan (DRP) is based on the previous BIA. The IT manager argues that the DRP is still valid because no major changes have occurred. What should the auditor recommend?

Question 17easymultiple choice
Read the full Governance and Management of IT explanation →

An organization is implementing a new IT governance framework. Which of the following is the PRIMARY benefit of using a framework like COBIT?

Question 18mediummultiple choice
Read the full Governance and Management of IT explanation →

An IT manager is reviewing the service level agreements (SLAs) for a cloud-based email service. The SLA guarantees 99.9% uptime per month. The service experienced an outage of 45 minutes in a 30-day month. Did the service meet the SLA?

Question 19mediummulti select
Read the full Governance and Management of IT explanation →

Which TWO of the following are key components of an IT governance framework?

Question 20hardmulti select
Read the full Governance and Management of IT explanation →

Which THREE of the following are commonly recognized benefits of implementing a formal IT service management (ITSM) framework such as ITIL?

Question 21hardmultiple choice
Read the full NAT/PAT explanation →

You are the IT governance lead at a multinational corporation with a complex IT environment spanning multiple business units. The company has recently experienced a series of minor security incidents where unauthorized access was gained through unused user accounts that were not disabled after employees left the organization. Additionally, there have been delays in provisioning access for new hires, leading to productivity losses. The IT department currently uses a manual process for access management, with each business unit maintaining its own user lists. The company has a policy that requires access reviews every quarter, but these are often missed or performed superficially. The CIO has asked you to recommend a solution that addresses these issues while ensuring compliance with regulations such as GDPR and SOX. Which of the following is the BEST course of action?

Question 22mediummulti select
Read the full Governance and Management of IT explanation →

Which TWO of the following are key responsibilities of an IT steering committee?

Question 23hardmultiple choice
Read the full Governance and Management of IT explanation →

Based on the exhibit, which control is most likely missing to prevent this type of event?

Exhibit

Refer to the exhibit.

syslog output:
Mar 15 10:23:45 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Mar 15 10:23:46 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Mar 15 10:23:47 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Mar 15 10:23:48 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Mar 15 10:23:49 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Question 24easymultiple choice
Read the full Governance and Management of IT explanation →

A mid-sized company is implementing a new IT service management (ITSM) tool to improve incident management. The IT manager wants to ensure that the tool aligns with ITIL best practices. The company has a dedicated service desk team that handles about 200 incidents per week. The IT manager is considering whether to implement a self-service portal for users to submit incidents and check status, or to continue using email-based incident reporting. The service desk team is concerned that a self-service portal might reduce their direct interaction with users and potentially lead to less personalized support. However, the IT manager believes that a portal could improve efficiency and tracking. The company's IT governance framework requires that any major IT investment be approved by the steering committee and that there be a clear business case. The IT manager has prepared a business case but the steering committee wants to ensure that the solution is aligned with ITIL and that it addresses key incident management processes. Which of the following is the most appropriate next step for the IT manager?

Question 25mediumdrag order
Read the full Governance and Management of IT explanation →

Arrange the steps to perform a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 26mediumdrag order
Read the full Governance and Management of IT explanation →

Order the steps for performing a data backup in the correct sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 27mediummatching
Read the full Governance and Management of IT explanation →

Match each COBIT 5 domain to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Evaluate, Direct, and Monitor

Align, Plan, and Organize

Build, Acquire, and Implement

Deliver, Service, and Support

Monitor, Evaluate, and Assess

Question 28mediummatching
Read the full Governance and Management of IT explanation →

Match each log type to its typical content.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

System and application events

User login attempts and access

Changes to sensitive data

System errors and failures

Question 29easymultiple choice
Read the full Governance and Management of IT explanation →

A company is implementing a new IT governance framework. Which of the following is the PRIMARY benefit of aligning IT strategy with business strategy?

Question 30mediummultiple choice
Read the full Governance and Management of IT explanation →

An organization has experienced several security incidents due to unauthorized changes to production systems. Which governance mechanism should be strengthened?

Question 31hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is evaluating its IT governance structure. The board wants to ensure that IT investments are prioritized based on risk and value. Which framework component is MOST critical?

Question 32easymultiple choice
Read the full Governance and Management of IT explanation →

A small business lacks formal IT governance. What is the FIRST step to establish governance?

Question 33mediummultiple choice
Read the full Governance and Management of IT explanation →

An IT department is struggling with project delays and budget overruns. Which governance practice would be MOST effective?

Question 34hardmultiple choice
Read the full Governance and Management of IT explanation →

A financial institution is required by regulators to demonstrate that IT controls are effective. Which of the following provides the BEST evidence?

Question 35easymultiple choice
Read the full Governance and Management of IT explanation →

An organization wants to ensure that IT performance is measured against strategic goals. Which tool is BEST suited?

Question 36mediummultiple choice
Read the full Governance and Management of IT explanation →

A company has multiple business units with conflicting IT priorities. Which governance body should resolve this?

Question 37hardmultiple choice
Read the full Governance and Management of IT explanation →

An organization's IT strategy is not aligned with business strategy due to lack of communication. Which of the following would BEST improve alignment?

Question 38easymulti select
Read the full Governance and Management of IT explanation →

An IT governance framework should include which TWO key components? (Select exactly two.)

Question 39mediummulti select
Read the full Governance and Management of IT explanation →

An organization is implementing IT governance based on COBIT. Which THREE of the following are enablers? (Select exactly three.)

Question 40hardmulti select
Read the full Governance and Management of IT explanation →

A large enterprise is assessing its IT governance maturity. Which THREE of the following are indicators of a mature governance process? (Select exactly three.)

Question 41easymultiple choice
Read the full Governance and Management of IT explanation →

Refer to the exhibit. Based on the governance status report, which component should be addressed as a priority?

Network Topology
|> show governance-status| Component | Status |
Question 42mediummultiple choice
Read the full Governance and Management of IT explanation →

Refer to the exhibit. The organization is planning to achieve the target level. What is the MOST appropriate action?

Exhibit

> cobit process-capability EDM01
Process: EDM01 - Ensure Governance Framework Setting and Maintenance
Current Level: 3 (Established Process)
Target Level: 4 (Predictable Process)
Gap: 1
Question 43hardmultiple choice
Read the full Governance and Management of IT explanation →

Refer to the exhibit. Which perspective shows the greatest deviation from target?

Exhibit

IT BSC Report Q1 2025:
- Financial: Actual 80% of plan (Target 90%)
- Customer: Satisfaction score 4.2/5 (Target 4.0)
- Internal Process: SLA compliance 95% (Target 99%)
- Learning & Growth: Training hours 120 (Target 150)
Question 44easymultiple choice
Read the full Governance and Management of IT explanation →

An IT steering committee is reviewing a proposal for a new customer relationship management (CRM) system. Which of the following BEST demonstrates that the proposal aligns with the organization's strategic goals?

Question 45easymultiple choice
Read the full Governance and Management of IT explanation →

An organization has implemented a balanced scorecard (BSC) for IT performance measurement. Which of the following is the PRIMARY benefit of using a BSC?

Question 46easymultiple choice
Read the full Governance and Management of IT explanation →

During an IT audit, the auditor discovers that the IT strategy is not formally documented. Which of the following is the MOST significant risk associated with this finding?

Question 47mediummultiple choice
Read the full Governance and Management of IT explanation →

An organization is planning to outsource its data center operations. Which of the following governance practices should be implemented to ensure proper oversight?

Question 48mediummultiple choice
Read the full Governance and Management of IT explanation →

An IT governance framework has been implemented, but the board is not receiving regular reports on IT performance. Which of the following is the BEST course of action?

Question 49mediummultiple choice
Read the full Governance and Management of IT explanation →

An IT audit revealed that the organization's IT steering committee has not met in the past six months. Which of the following is the MOST likely consequence of this situation?

Question 50hardmultiple choice
Read the full Governance and Management of IT explanation →

An organization has decentralized IT management with each business unit making its own technology decisions. Which of the following is the BEST way to maintain enterprise-wide governance?

Question 51hardmultiple choice
Read the full Governance and Management of IT explanation →

A company is implementing IT governance based on COBIT 2019. Which of the following design factors would have the GREATEST impact on the governance system design?

Question 52hardmultiple choice
Read the full Governance and Management of IT explanation →

An organization's IT strategy is developed by the IT department without input from business stakeholders. Which of the following is the MOST significant risk?

Question 53easymulti select
Read the full Governance and Management of IT explanation →

Which TWO of the following are key components of an IT governance framework?

Question 54mediummulti select
Read the full Governance and Management of IT explanation →

An organization is adopting COBIT 2019. Which TWO of the following are components of the governance system?

Question 55hardmulti select
Read the full Governance and Management of IT explanation →

Which THREE of the following are indicators of mature IT governance?

Question 56easymultiple choice
Read the full Governance and Management of IT explanation →

Based on the exhibit, what is the MOST appropriate action for IT management?

Exhibit

Refer to the exhibit.
The following is an excerpt from an IT balanced scorecard:
Perspective: Customer
Objective: Improve user satisfaction
KPI: User satisfaction survey score
Target: >85%
Actual: 82%
Question 57mediummultiple choice
Read the full Governance and Management of IT explanation →

Which of the following is a potential risk in this RACI matrix?

Exhibit

Refer to the exhibit.
The following is a RACI matrix for the change management process:
Activity: Change request approval
Responsible: Change Manager (R)
Accountable: IT Director (A)
Consulted: Business Process Owner (C)
Informed: IT Operations (I)
Question 58hardmultiple choice
Read the full Governance and Management of IT explanation →

What is the MOST significant weakness in the planned remediation?

Exhibit

Refer to the exhibit.
The following is an excerpt from an IT control self-assessment report:
Control: Segregation of duties in system development
Finding: In 3 out of 10 projects, the same developer who wrote code also performed code review.
Risk: High
Planned Remediation: Implement automated code review tool by Q3.
Question 59easymultiple choice
Read the full Governance and Management of IT explanation →

An organization is implementing a new IT governance framework. Which of the following is the PRIMARY benefit of aligning IT strategy with business strategy?

Question 60mediummultiple choice
Read the full Governance and Management of IT explanation →

An IT steering committee is reviewing a proposal for a new customer relationship management (CRM) system. What is the committee's MOST important role?

Question 61easymultiple choice
Read the full Governance and Management of IT explanation →

An IT department uses a balanced scorecard to measure performance. Which metric would BEST reflect the 'customer perspective'?

Question 62mediummultiple choice
Read the full Governance and Management of IT explanation →

According to COBIT 2019, which design factor is MOST critical for tailoring a governance system?

Question 63hardmultiple choice
Read the full Governance and Management of IT explanation →

An organization outsources its data center operations. What is the BEST way to ensure the service provider's controls are effective?

Question 64mediummultiple choice
Read the full Governance and Management of IT explanation →

An organization's IT governance framework includes a policy that all system access must be reviewed quarterly. The internal audit finds that reviews are incomplete. What is the BEST action?

Question 65hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is implementing a global IT governance framework. Which of the following challenges is MOST likely to arise?

Question 66easymultiple choice
Read the full Governance and Management of IT explanation →

An IT manager is developing a governance policy for change management. Which element is MOST important to include?

Question 67hardmultiple choice
Read the full Governance and Management of IT explanation →

An organization's IT governance committee is reviewing a proposal to use a public cloud provider that does not meet the organization's data encryption standards. The board has set a low risk appetite for data privacy. What is the BEST action?

Question 68easymulti select
Read the full Governance and Management of IT explanation →

Which TWO of the following are key components of an IT governance framework? (Choose two.)

Question 69mediummulti select
Read the full Governance and Management of IT explanation →

An organization is implementing COBIT 2019. Which TWO of the following are governance enablers? (Choose two.)

Question 70hardmulti select
Read the full Governance and Management of IT explanation →

Which THREE of the following are responsibilities of the board of directors regarding IT governance? (Choose three.)

Question 71mediummultiple choice
Read the full Governance and Management of IT explanation →

Based on the exhibit, which metric would be LEAST relevant to the 'Customer' perspective?

Exhibit

Refer to the exhibit.

IT Balanced Scorecard – Customer Perspective:
- Objective: Improve customer satisfaction
- Metrics:
  - Satisfaction Survey Score (target: >90%)
  - Complaint Resolution Time (target: <24 hours)
- Other perspectives: Internal Process, Learning & Growth, Financial
Question 72hardmultiple choice
Read the full Governance and Management of IT explanation →

An auditor finds that access reviews have not been completed for two quarters. What is the MOST significant risk?

Exhibit

Refer to the exhibit.

Access Control Policy (Excerpt):
- All system access requests must be approved by the data owner.
- Access reviews must be performed quarterly.
- Non-compliant access will be revoked within 24 hours of detection.
Question 73easymultiple choice
Read the full Governance and Management of IT explanation →

Based on the exhibit, what is the default retention period for data?

Exhibit

Refer to the exhibit.

{
  "policyName": "Data Retention",
  "retentionPeriodDays": 365,
  "enforcement": "automatic",
  "exceptions": [
    {
      "role": "Legal",
      "extendDays": 30
    }
  ]
}
Question 74mediummultiple choice
Read the full Governance and Management of IT explanation →

An organization is implementing a new IT governance framework. Which of the following is the BEST approach to ensure alignment between IT strategy and business goals?

Question 75hardmultiple choice
Read the full Governance and Management of IT explanation →

During a risk assessment, an IS auditor identifies that the IT department has not performed a business impact analysis (BIA) for critical systems. Which of the following is the MOST significant risk?

Question 76easymultiple choice
Read the full Governance and Management of IT explanation →

An organization has a policy requiring all employees to complete annual information security awareness training. Which of the following is the BEST way to verify compliance with this policy?

Question 77mediummultiple choice
Read the full Governance and Management of IT explanation →

A company outsources its data center operations to a third-party provider. Which of the following is the MOST important control to include in the outsourcing contract?

Question 78hardmultiple choice
Read the full Governance and Management of IT explanation →

An IS auditor is reviewing the balanced scorecard for IT. Which of the following metrics BEST aligns with the 'customer perspective'?

Question 79easymultiple choice
Read the full Governance and Management of IT explanation →

An IT manager submits a request to change the firewall configuration during business hours. According to best practices for change management, what should be done FIRST?

Question 80mediummultiple choice
Read the full Governance and Management of IT explanation →

A business continuity plan (BCP) includes a tabletop exercise once a year. An IS auditor finds that the exercise only involves IT staff. Which of the following is the BEST recommendation?

Question 81hardmultiple choice
Read the full Governance and Management of IT explanation →

An organization's data classification policy defines 'Confidential' data as requiring encryption at rest. An IS auditor discovers that a database containing customer personal information is not encrypted. What is the auditor's BEST course of action?

Question 82easymultiple choice
Read the full Governance and Management of IT explanation →

Which of the following is the PRIMARY purpose of an IT strategy committee?

Question 83mediummulti select
Read the full Governance and Management of IT explanation →

Which TWO of the following are key components of an IT governance framework? (Choose two.)

Question 84hardmulti select
Read the full Governance and Management of IT explanation →

Which THREE of the following are responsibilities of the board of directors regarding IT governance? (Choose three.)

Question 85easymulti select
Read the full Governance and Management of IT explanation →

Which TWO of the following are common objectives of an IT balanced scorecard? (Choose two.)

Question 86mediummultiple choice
Read the full Governance and Management of IT explanation →

Based on the exhibit, what is the MOST likely security risk?

Exhibit

Refer to the exhibit.

```
access-list 101 permit tcp any host 192.168.1.100 eq 80
access-list 101 permit tcp any host 192.168.1.100 eq 443
access-list 101 deny ip any host 192.168.1.100
access-list 101 permit ip any any
```
Question 87hardmultiple choice
Read the full Governance and Management of IT explanation →

An organization uses the policy shown. Which of the following is an omission in the policy?

Exhibit

Refer to the exhibit.

```json
{
  "policy": "DataRetention",
  "rules": [
    {"dataType": "PII", "retentionDays": 365, "encryptionRequired": true},
    {"dataType": "Financial", "retentionDays": 2555, "encryptionRequired": true},
    {"dataType": "Log", "retentionDays": 90, "encryptionRequired": false}
  ]
}
```
Question 88easymultiple choice
Read the full Governance and Management of IT explanation →

Based on the log, what is the MOST likely root cause of the backup failure?

Exhibit

Refer to the exhibit.

```
[2025-03-01 02:00:00] ERROR: Backup job 'DailyFullBackup' failed.
[2025-03-01 02:00:05] INFO: Target directory '/mnt/backup' is full.
[2025-03-01 02:00:10] WARN: No space left on device.
```
Question 89mediummultiple choice
Read the full Governance and Management of IT explanation →

A large financial institution is evaluating the effectiveness of its IT governance framework. The board has requested a review to ensure alignment with business objectives and regulatory requirements. Which of the following is the MOST important factor for the board to consider when assessing the IT governance framework?

Question 90easymultiple choice
Read the full Governance and Management of IT explanation →

An organization is developing its IT strategy to align with the overall business strategy. The business strategy emphasizes rapid market expansion through digital products. Which of the following IT strategies would BEST support this business goal?

Question 91hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation has defined its risk appetite as 'moderate' for IT investments. The IT steering committee is evaluating a new project with potential high returns but also significant cybersecurity risks. The project's risk profile is assessed as 'high' by the risk management team. What should the committee do FIRST?

Question 92mediummultiple choice
Read the full Governance and Management of IT explanation →

A company is considering restructuring its IT department from a centralized to a decentralized model to give business units more autonomy. What is a PRIMARY governance risk associated with this move?

Question 93easymultiple choice
Read the full Governance and Management of IT explanation →

An organization has a policy requiring annual information security awareness training for all employees. During a recent audit, it was found that 20% of employees had not completed the training. What is the BEST course of action for the IT governance committee?

Question 94hardmultiple choice
Read the full Governance and Management of IT explanation →

An IT department uses a balanced scorecard (BSC) to measure performance. The financial perspective shows that IT costs are within budget, but customer satisfaction scores are declining. The learning and growth perspective indicates low employee engagement. Which action should the IT governance committee prioritize?

Question 95mediummultiple choice
Read the full Governance and Management of IT explanation →

A company plans to outsource its data center operations to a cloud service provider. What is the MOST important governance consideration for the board before finalizing the contract?

Question 96easymultiple choice
Read the full NAT/PAT explanation →

A healthcare organization must comply with HIPAA regulations regarding patient data privacy. The IT department has implemented technical controls, but the compliance officer discovers that some employees are sharing passwords. What is the BEST governance response?

Question 97mediummulti select
Read the full Governance and Management of IT explanation →

Which TWO of the following are primary objectives of IT governance as defined by COBIT 5?

Question 98hardmulti select
Read the full Governance and Management of IT explanation →

Which THREE of the following are components of the COBIT 2019 governance system?

Question 99easymulti select
Read the full Governance and Management of IT explanation →

Which TWO of the following are benefits of establishing an IT steering committee?

Question 100hardmultiple choice
Read the full NAT/PAT explanation →

A multinational manufacturing company with operations in 20 countries has historically allowed each regional division to manage its own IT systems independently. Recently, the company experienced a significant data breach originating from a region with weaker security controls, leading to financial losses and reputational damage. The board has mandated stronger IT governance to prevent future incidents. The CIO proposes implementing a global IT governance framework with centralized policy enforcement. However, regional directors argue that local regulations and business needs require autonomy. The governance committee must decide on a course of action that balances risk and business flexibility. Which of the following approaches is the MOST appropriate?

Question 101mediummultiple choice
Read the full Governance and Management of IT explanation →

A retail company is merging with a competitor. The IT departments of both organizations have different IT governance structures: Company A uses a centralized model with strict change management, while Company B uses a decentralized model with autonomous business unit IT. The CIO has been tasked with integrating the IT functions post-merger. The board expects cost synergies and improved service levels. The integration team is facing resistance from Company B's business heads who fear loss of agility. The CIO needs to propose a governance model for the merged entity. Which approach would BEST meet the board's expectations while addressing resistance?

Question 102easymultiple choice
Read the full Governance and Management of IT explanation →

A medium-sized e-commerce company recently suffered a ransomware attack that encrypted critical databases. The IT team restored systems from backups, but the incident exposed a lack of clear roles and responsibilities for incident response. The board has asked the IT governance committee to review and improve the incident response governance. The committee notes that while there is an incident response policy, it is not regularly tested, and staff are unsure of their roles. The company also lacks a formal communication protocol for notifying stakeholders. What should the committee prioritize to strengthen governance over incident response?

Question 103mediummultiple choice
Read the full Governance and Management of IT explanation →

A financial services company is migrating its core banking system to a public cloud to improve scalability and reduce costs. The project is high-risk due to regulatory compliance requirements (e.g., data residency, audit trails). The IT governance committee has reviewed the project plan and finds that the risk assessment is incomplete – it does not address the potential impact of a cloud provider outage on critical transactions. The committee must approve the project or request changes. The project manager argues that the cloud provider's SLA guarantees 99.99% uptime and that additional controls would delay the project. What should the governance committee do?

Question 104mediummulti select
Read the full Governance and Management of IT explanation →

An organization is implementing an IT governance framework to align IT with business objectives. Which TWO of the following are primary responsibilities of the IT steering committee?

Question 105easymultiple choice
Read the full Governance and Management of IT explanation →

A medium-sized manufacturing company has a decentralized IT structure where each business unit manages its own IT budget and projects. The CEO is concerned that IT investments are not aligned with corporate strategy and that there is duplication of effort. The IT department lacks a formal project portfolio management process. The company has experienced several project failures due to poor prioritization. The CEO has asked the newly hired IT auditor to recommend an initial step to improve IT governance. The auditor should recommend:

Question 106mediummultiple choice
Read the full Governance and Management of IT explanation →

A large financial institution has a well-defined IT governance framework with a clear organizational structure, policies, and processes. However, the internal audit department has identified that several IT projects are over budget and behind schedule. The project managers blame unclear requirements and scope creep. The IT governance committee meets monthly but reviews projects only at a high level. The auditor's best recommendation to improve project governance is to:

Question 107hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation operates in a highly regulated industry. The IT governance framework includes a risk appetite statement approved by the board. Recently, the company suffered a significant data breach due to an unpatched vulnerability that had been identified three months earlier. The IT audit found that the vulnerability was reported to the IT department but was not prioritized for remediation because it was deemed low risk by the IT operations team. The incident response plan was not activated because the breach was not initially detected. The board wants to strengthen governance to prevent recurrence. The most effective course of action for the auditor to recommend is:

Question 108hardmultiple choice
Read the full Governance and Management of IT explanation →

A government agency has an IT governance framework that includes an IT strategy committee, an IT steering committee, and a project management office. Despite this, there is a lack of transparency regarding IT spending and resource allocation. The agency's annual audit found that several IT initiatives were not approved by the steering committee and were funded out of operational budgets. The CFO is frustrated because IT costs are unpredictable. The agency's chief information officer (CIO) reports to the CFO but the IT steering committee is chaired by the CIO. The auditor's best recommendation to improve governance is to:

Question 109mediummulti select
Read the full Governance and Management of IT explanation →

Which TWO of the following are recommended practices for aligning IT strategy with business goals, according to COBIT 2019?

Question 110hardmultiple choice
Read the full Governance and Management of IT explanation →

Based on the exhibit, which control deficiency is most critical for the IS auditor to address?

Exhibit

Refer to the exhibit.
```
# cat /var/log/auth.log
Mar 10 08:12:34 srv01 sshd[1234]: Accepted password for admin from 192.168.1.10 port 22
Mar 10 08:15:22 srv01 sshd[1235]: Failed password for root from 10.0.0.5 port 22
Mar 10 08:15:25 srv01 sshd[1236]: Failed password for root from 10.0.0.5 port 22
Mar 10 08:15:28 srv01 sshd[1237]: Failed password for root from 10.0.0.5 port 22
Mar 10 08:15:31 srv01 sshd[1238]: Failed password for root from 10.0.0.5 port 22
Mar 10 08:15:34 srv01 sshd[1239]: Failed password for root from 10.0.0.5 port 22
Mar 10 08:15:37 srv01 sshd[1240]: Failed password for root from 10.0.0.5 port 22
Mar 10 08:18:01 srv01 sudo: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/bin/su -
```
Question 111easymultiple choice
Read the full NAT/PAT explanation →

A medium-sized manufacturing company has recently deployed an ERP system to integrate its financial, supply chain, and HR processes. The IT department is small (5 staff) and reports to the CFO. The company has no formal IT governance committee; IT decisions are made by the CFO and CEO informally. During a recent audit, it was found that several critical security patches for the ERP system have not been applied, and there are no documented procedures for change management. The IT manager states that patches are applied when time permits, and changes are discussed via email. The CFO argues that the ERP is running fine and the audit findings are low risk. The IS auditor needs to recommend a course of action to improve IT governance. Which of the following is the MOST appropriate initial step?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISA Practice Test 1 — 10 Questions→CISA Practice Test 2 — 10 Questions→CISA Practice Test 3 — 10 Questions→CISA Practice Test 4 — 10 Questions→CISA Practice Test 5 — 10 Questions→CISA Practice Exam 1 — 20 Questions→CISA Practice Exam 2 — 20 Questions→CISA Practice Exam 3 — 20 Questions→CISA Practice Exam 4 — 20 Questions→Free CISA Practice Test 1 — 30 Questions→Free CISA Practice Test 2 — 30 Questions→Free CISA Practice Test 3 — 30 Questions→CISA Practice Questions 1 — 50 Questions→CISA Practice Questions 2 — 50 Questions→CISA Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Governance and Management of ITInformation Systems Acquisition, Development and ImplementationInformation Systems Operations and Business ResilienceProtection of Information AssetsInformation System Auditing Process

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Governance and Management of IT setsAll Governance and Management of IT questionsCISA Practice Hub