Back to Certified Information Systems Auditor CISA

ISACA exam questions

Certified Information Systems Auditor CISA practice test

Practise Certified Information Systems Auditor CISA practice test — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

509
practice questions
5
topics covered
CISA
exam code
ISACA
vendor

Study modes

Three ways to study

Start with the Study Sheet to learn the material, switch to Practice Tests for active recall, then take a Mock Exam to simulate the real thing.

Study Sheet

All 509 questions with correct answers and explanations already visible. Read at your own pace — no time pressure.

Start reading →

Practice Test

Answer first, then see feedback and explanation. Tracks your score per session. Best for active recall and identifying weak areas.

Mock Exam

Full timed simulation with countdown. Answers hidden until the end. Includes all question types just like the real exam.

Start mock exam →

Study Sheet

All 509 CISA questions with answers

Every question in the bank, paginated 75 per page. Correct answers and full explanations are revealed upfront — ideal for first-pass learning and pre-exam review.

7 pages · 75 questions per page · 509 total

Related practice questions

Study CISA by topic

Topic pages go deep on individual concepts — each one covers a specific exam topic with questions, explanations, and study notes.

Courseiva uses original exam-style practice questions created for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps. Learn the difference →

Sample questions

Certified Information Systems Auditor CISA practice questions

Start practice test

An organization is implementing a new financial system and has completed user acceptance testing (UAT). The project manager reports that all critical defects have been fixed and retested, but several low-severity issues remain unresolved. What is the BEST course of action?

An organization is implementing a data loss prevention (DLP) solution. Which TWO of the following are key considerations for effective DLP deployment?

Based on the exhibit, which control is most likely missing to prevent this type of event?

Exhibit

Refer to the exhibit.

syslog output:
Mar 15 10:23:45 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Mar 15 10:23:46 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Mar 15 10:23:47 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Mar 15 10:23:48 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Mar 15 10:23:49 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2

Arrange the steps to perform a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Order the steps for conducting an audit engagement from start to finish.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Order the steps for responding to a security incident in the correct sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Arrange the steps to implement a password policy in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Order the steps for conducting a business impact analysis (BIA) in the correct sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Order the steps for performing a disaster recovery test in the correct sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Which of the following is the PRIMARY purpose of a data classification scheme?

An IS auditor is reviewing the logical access controls of a system. Which of the following is the BEST evidence that access rights are appropriately assigned?

During an audit of a financial application, the IS auditor discovers that user access reviews are performed quarterly instead of monthly as required by policy. Which of the following is the BEST initial action for the auditor?

During an IT audit, the auditor discovers that the IT department has not conducted a business impact analysis (BIA) for three years. The organization's disaster recovery plan (DRP) is based on the previous BIA. The IT manager argues that the DRP is still valid because no major changes have occurred. What should the auditor recommend?

Which TWO of the following are the MOST effective controls to prevent unauthorized changes to production data?

Based on the exhibit, the IS auditor is reviewing access to the payroll folder. Which of the following is the MOST significant finding?

Exhibit

Refer to the exhibit.
```
Access Control List for /payroll:
User: jdoe (Read, Write)
User: asmith (Read)
Group: HR_Managers (Full Control)
Group: Payroll_Clerks (Read, Write)
Group: Internal_Audit (Read)
Effective permissions for user jdoe: Read, Write
```

Which THREE of the following are key elements that should be included in a risk assessment report for information systems?

Which TWO of the following are key benefits of using a system development life cycle (SDLC) methodology? (Select exactly two.)

A company is designing its backup strategy for a critical database that must be available 24/7. The database experiences high transaction volumes. Which backup method minimizes data loss while allowing continuous operations?

During an incident response exercise, the IT team discovers that the failover to the disaster recovery (DR) site failed because the DR site's storage area network (SAN) was not zoned correctly for the replicated data. Which of the following controls would BEST prevent this issue?

An IT auditor is reviewing the business continuity plan (BCP) for a financial services firm. The plan includes a hot site that is shared with another organization under a reciprocal agreement. Which of the following findings should be of MOST concern to the auditor?

An IT manager needs to ensure that the organization's IT resources are used efficiently. Which of the following is the BEST metric to measure IT resource utilization?

An organization is developing a new customer portal. The development team wants to use an agile methodology. Which of the following is a key benefit of using agile for this project?

When implementing a commercial off-the-shelf (COTS) software package, which of the following is the MOST important activity to ensure the software meets business requirements?

In a traditional waterfall SDLC, when should the test plan be developed?

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

Exam question guide

How to use these CISA questions

Use these questions as active recall, not passive reading. Try the question first, review the answer choices, then open the explanation and connect the result back to the exam topic.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

These CISA practice questions are part of Courseiva's free ISACA certification practice question bank. Courseiva provides original exam-style CISA questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.