Sample questions
Certified Information Systems Auditor CISA practice questions
An organization is implementing a new financial system and has completed user acceptance testing (UAT). The project manager reports that all critical defects have been fixed and retested, but several low-severity issues remain unresolved. What is the BEST course of action?
Trap 1: Re-run all UAT test cases to ensure no regression occurs
Too broad; not necessary for low-severity issues.
Trap 2: Delay go-live until all defects are resolved
Unnecessary delay for low-severity issues.
Trap 3: Obtain sign-off from business stakeholders acknowledging the risks…
Lacks formal documentation of the known issues.
- A
Document the unresolved defects as known issues in a risk acceptance form with a remediation plan, then proceed with go-live
Best practice: formally track and accept residual risk.
- B
Re-run all UAT test cases to ensure no regression occurs
Why wrong: Too broad; not necessary for low-severity issues.
- C
Delay go-live until all defects are resolved
Why wrong: Unnecessary delay for low-severity issues.
- D
Obtain sign-off from business stakeholders acknowledging the risks and proceed with go-live
Why wrong: Lacks formal documentation of the known issues.
An organization is implementing a data loss prevention (DLP) solution. Which TWO of the following are key considerations for effective DLP deployment?
Trap 1: Deploying DLP agents on all endpoints before defining policies
Policies should be defined before deployment to avoid disruption.
Trap 2: Encrypting all data at rest and in transit as a prerequisite
Encryption is a separate control; DLP can work with or without it.
Trap 3: Replacing user security awareness training with automated DLP
DLP complements but does not replace training.
- A
Implementing DLP in monitoring mode initially to baseline traffic
Monitoring first helps tune policies and reduce false positives.
- B
Deploying DLP agents on all endpoints before defining policies
Why wrong: Policies should be defined before deployment to avoid disruption.
- C
Encrypting all data at rest and in transit as a prerequisite
Why wrong: Encryption is a separate control; DLP can work with or without it.
- D
Classifying data based on sensitivity and criticality
Data classification is essential to define DLP policies.
- E
Replacing user security awareness training with automated DLP
Why wrong: DLP complements but does not replace training.
Based on the exhibit, which control is most likely missing to prevent this type of event?
Exhibit
Refer to the exhibit. syslog output: Mar 15 10:23:45 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2 Mar 15 10:23:46 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2 Mar 15 10:23:47 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2 Mar 15 10:23:48 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2 Mar 15 10:23:49 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Trap 1: Applying the latest security patches to the SSH service
Patching addresses vulnerabilities, not brute-force attacks.
Trap 2: Disabling direct root login via SSH
Even if root login is disabled, attackers could still brute-force other user accounts.
Trap 3: Enforcing strong password complexity
Strong passwords make brute force harder but do not prevent repeated attempts.
- A
Applying the latest security patches to the SSH service
Why wrong: Patching addresses vulnerabilities, not brute-force attacks.
- B
Implementing account lockout after three failed attempts
Account lockout directly mitigates brute-force attacks by blocking further attempts.
- C
Disabling direct root login via SSH
Why wrong: Even if root login is disabled, attackers could still brute-force other user accounts.
- D
Enforcing strong password complexity
Why wrong: Strong passwords make brute force harder but do not prevent repeated attempts.
Arrange the steps to perform a risk assessment in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Order the steps for conducting an audit engagement from start to finish.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Order the steps for responding to a security incident in the correct sequence.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Arrange the steps to implement a password policy in the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Order the steps for conducting a business impact analysis (BIA) in the correct sequence.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Order the steps for performing a disaster recovery test in the correct sequence.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Which of the following is the PRIMARY purpose of a data classification scheme?
Trap 1: To enable encryption of all sensitive data
Encryption is a control, not the purpose of classification.
Trap 2: To meet regulatory compliance requirements
Compliance is a benefit, not the primary purpose.
Trap 3: To define data retention periods
Retention is a separate policy.
- A
To enable encryption of all sensitive data
Why wrong: Encryption is a control, not the purpose of classification.
- B
To meet regulatory compliance requirements
Why wrong: Compliance is a benefit, not the primary purpose.
- C
To define data retention periods
Why wrong: Retention is a separate policy.
- D
To ensure appropriate security controls are applied based on data sensitivity
Classification drives protection.
An IS auditor is reviewing the logical access controls of a system. Which of the following is the BEST evidence that access rights are appropriately assigned?
Trap 1: An audit log showing all successful and failed login attempts
Shows activity but not whether access rights are appropriate.
Trap 2: A password policy requiring complex passwords
Password policy addresses authentication, not authorization.
Trap 3: An access control matrix defining roles and permissions
Defines intended access but not actual assignment.
- A
An audit log showing all successful and failed login attempts
Why wrong: Shows activity but not whether access rights are appropriate.
- B
A password policy requiring complex passwords
Why wrong: Password policy addresses authentication, not authorization.
- C
An access control matrix defining roles and permissions
Why wrong: Defines intended access but not actual assignment.
- D
A recent user access review report signed by department managers
Management sign-off confirms proper assignment.
During an audit of a financial application, the IS auditor discovers that user access reviews are performed quarterly instead of monthly as required by policy. Which of the following is the BEST initial action for the auditor?
Trap 1: Recommend that the policy be changed to allow quarterly reviews
The auditor should not change policy, only assess risk.
Trap 2: Report the noncompliance with the policy as a finding immediately
The auditor should evaluate compensating controls first.
Trap 3: Escalate the issue to senior management for immediate resolution
Escalation should occur after analysis.
- A
Recommend that the policy be changed to allow quarterly reviews
Why wrong: The auditor should not change policy, only assess risk.
- B
Report the noncompliance with the policy as a finding immediately
Why wrong: The auditor should evaluate compensating controls first.
- C
Escalate the issue to senior management for immediate resolution
Why wrong: Escalation should occur after analysis.
- D
Determine if compensating controls mitigate the risk of less frequent reviews
Compensating controls may make quarterly reviews acceptable.
During an IT audit, the auditor discovers that the IT department has not conducted a business impact analysis (BIA) for three years. The organization's disaster recovery plan (DRP) is based on the previous BIA. The IT manager argues that the DRP is still valid because no major changes have occurred. What should the auditor recommend?
Trap 1: Accept the IT manager's rationale and close the finding.
The BIA must be current to ensure the DRP remains effective; ignoring the gap is risky.
Trap 2: Recommend terminating the current DRP until the BIA is completed.
Terminating the DRP without a replacement would leave the organization without any recovery plan.
Trap 3: Recommend accepting the risk and documenting the decision.
Simply accepting the risk without reassessment may expose the organization to unmitigated impacts.
- A
Recommend that a new BIA be conducted to validate and update the DRP.
A current BIA is essential to identify changes in business processes and threats, ensuring the DRP is aligned.
- B
Accept the IT manager's rationale and close the finding.
Why wrong: The BIA must be current to ensure the DRP remains effective; ignoring the gap is risky.
- C
Recommend terminating the current DRP until the BIA is completed.
Why wrong: Terminating the DRP without a replacement would leave the organization without any recovery plan.
- D
Recommend accepting the risk and documenting the decision.
Why wrong: Simply accepting the risk without reassessment may expose the organization to unmitigated impacts.
Which TWO of the following are the MOST effective controls to prevent unauthorized changes to production data?
Trap 1: Implementing audit logging of all data changes
Audit logs detect but do not prevent changes.
Trap 2: Encrypting production data at rest
Encryption protects confidentiality, not integrity.
Trap 3: Using automated testing for all code changes
Testing ensures quality but does not prevent unauthorized changes.
- A
Requiring change management approval for all production changes
Ensures changes are authorized before implementation.
- B
Enforcing segregation of duties between development and production
Prevents unauthorized changes by separating roles.
- C
Implementing audit logging of all data changes
Why wrong: Audit logs detect but do not prevent changes.
- D
Encrypting production data at rest
Why wrong: Encryption protects confidentiality, not integrity.
- E
Using automated testing for all code changes
Why wrong: Testing ensures quality but does not prevent unauthorized changes.
Based on the exhibit, the IS auditor is reviewing access to the payroll folder. Which of the following is the MOST significant finding?
Exhibit
Refer to the exhibit. ``` Access Control List for /payroll: User: jdoe (Read, Write) User: asmith (Read) Group: HR_Managers (Full Control) Group: Payroll_Clerks (Read, Write) Group: Internal_Audit (Read) Effective permissions for user jdoe: Read, Write ```
Trap 1: Internal_Audit group has Read access to payroll data
Read access for auditors is generally appropriate.
Trap 2: User asmith has only Read access to payroll
Read access may be appropriate for their role.
Trap 3: HR_Managers group has Full Control over payroll
Full Control may be necessary for HR managers.
- A
Internal_Audit group has Read access to payroll data
Why wrong: Read access for auditors is generally appropriate.
- B
User asmith has only Read access to payroll
Why wrong: Read access may be appropriate for their role.
- C
HR_Managers group has Full Control over payroll
Why wrong: Full Control may be necessary for HR managers.
- D
Potential excessive privileges for user jdoe due to overlapping permissions
Overlapping permissions may grant unintended access.
Which THREE of the following are key elements that should be included in a risk assessment report for information systems?
Trap 1: List of all vendors and their contract terms
Not typically part of an IS risk assessment report.
Trap 2: Detailed budget for implementing security controls
Budget is a separate planning document.
- A
Identification of critical assets and their vulnerabilities
Needed to understand what is at risk.
- B
Recommendations for risk mitigation or acceptance
Provides actionable next steps.
- C
List of all vendors and their contract terms
Why wrong: Not typically part of an IS risk assessment report.
- D
Evaluation of current controls and their effectiveness
Essential to assess residual risk.
- E
Detailed budget for implementing security controls
Why wrong: Budget is a separate planning document.
Which TWO of the following are key benefits of using a system development life cycle (SDLC) methodology? (Select exactly two.)
Trap 1: It prevents any scope changes during development
Scope changes can still occur; SDLC helps manage them.
Trap 2: It eliminates the need for security testing
Security testing is still needed.
Trap 3: It reduces the overall cost of development
SDLC can add overhead; cost reduction is not guaranteed.
- A
It provides a structured approach to system development
SDLC defines phases and deliverables.
- B
It ensures user requirements are captured and validated
SDLC includes requirements gathering and review phases.
- C
It prevents any scope changes during development
Why wrong: Scope changes can still occur; SDLC helps manage them.
- D
It eliminates the need for security testing
Why wrong: Security testing is still needed.
- E
It reduces the overall cost of development
Why wrong: SDLC can add overhead; cost reduction is not guaranteed.
A company is designing its backup strategy for a critical database that must be available 24/7. The database experiences high transaction volumes. Which backup method minimizes data loss while allowing continuous operations?
Trap 1: Offline full backup performed weekly
Offline backup requires taking the database offline, causing downtime.
Trap 2: Differential backup performed daily
Differential backup alone does not provide continuous protection and still requires a full backup.
Trap 3: Full backup performed during low-usage periods
Even during low usage, a full backup can impact performance and may require downtime.
- A
Offline full backup performed weekly
Why wrong: Offline backup requires taking the database offline, causing downtime.
- B
Differential backup performed daily
Why wrong: Differential backup alone does not provide continuous protection and still requires a full backup.
- C
Online backup with transaction log backups
Online backups run while the database is active, and transaction logs allow point-in-time recovery with minimal data loss.
- D
Full backup performed during low-usage periods
Why wrong: Even during low usage, a full backup can impact performance and may require downtime.
During an incident response exercise, the IT team discovers that the failover to the disaster recovery (DR) site failed because the DR site's storage area network (SAN) was not zoned correctly for the replicated data. Which of the following controls would BEST prevent this issue?
Trap 1: Maintaining a configuration management database (CMDB)
CMDB documents configurations but does not prevent misconfiguration.
Trap 2: Implementing a change management process for SAN configurations
Change management helps but does not guarantee correct zoning; testing is more direct.
Trap 3: Using automated replication monitoring tools
Monitoring tools alert on replication failures but do not prevent zoning issues.
- A
Maintaining a configuration management database (CMDB)
Why wrong: CMDB documents configurations but does not prevent misconfiguration.
- B
Implementing a change management process for SAN configurations
Why wrong: Change management helps but does not guarantee correct zoning; testing is more direct.
- C
Using automated replication monitoring tools
Why wrong: Monitoring tools alert on replication failures but do not prevent zoning issues.
- D
Conducting regular disaster recovery testing including full failover
Regular testing validates that all components work together, including SAN zoning.
An IT auditor is reviewing the business continuity plan (BCP) for a financial services firm. The plan includes a hot site that is shared with another organization under a reciprocal agreement. Which of the following findings should be of MOST concern to the auditor?
Trap 1: The hot site uses a different internet service provider than the…
This is a best practice for diversity, not a concern.
Trap 2: The hot site has not been tested in the past 12 months
While testing is important, the reciprocal agreement's lack of exclusivity is a more fundamental risk.
Trap 3: The hot site is located in the same seismic zone as the primary site
Geographic risk is relevant but not as urgent as the capacity sharing issue.
- A
The hot site uses a different internet service provider than the primary site
Why wrong: This is a best practice for diversity, not a concern.
- B
The hot site has not been tested in the past 12 months
Why wrong: While testing is important, the reciprocal agreement's lack of exclusivity is a more fundamental risk.
- C
The reciprocal agreement does not guarantee exclusive use of the hot site during a disaster
If both organizations activate simultaneously, the hot site may not have sufficient capacity for both.
- D
The hot site is located in the same seismic zone as the primary site
Why wrong: Geographic risk is relevant but not as urgent as the capacity sharing issue.
An IT manager needs to ensure that the organization's IT resources are used efficiently. Which of the following is the BEST metric to measure IT resource utilization?
Trap 1: System uptime percentage
Measures availability, not resource utilization.
Trap 2: Number of help desk tickets resolved per day
Measures support productivity, not resource utilization.
Trap 3: Percentage of projects completed on time
Measures project management efficiency.
- A
System uptime percentage
Why wrong: Measures availability, not resource utilization.
- B
Average server CPU utilization
Directly measures how efficiently computing resources are used.
- C
Number of help desk tickets resolved per day
Why wrong: Measures support productivity, not resource utilization.
- D
Percentage of projects completed on time
Why wrong: Measures project management efficiency.
An organization is developing a new customer portal. The development team wants to use an agile methodology. Which of the following is a key benefit of using agile for this project?
Trap 1: Detailed requirements are defined upfront
This is typical of waterfall.
Trap 2: Documentation is minimized to save time
Agile values working software over comprehensive documentation, but not necessarily minimized.
Trap 3: The entire system is delivered at once
Agile delivers in increments.
- A
Continuous stakeholder feedback is incorporated
Agile emphasizes ongoing collaboration.
- B
Detailed requirements are defined upfront
Why wrong: This is typical of waterfall.
- C
Documentation is minimized to save time
Why wrong: Agile values working software over comprehensive documentation, but not necessarily minimized.
- D
The entire system is delivered at once
Why wrong: Agile delivers in increments.
When implementing a commercial off-the-shelf (COTS) software package, which of the following is the MOST important activity to ensure the software meets business requirements?
Trap 1: Conducting a vendor demonstration
Useful but may not reveal gaps.
Trap 2: Developing a project plan with milestones
Important but not the most important for requirements.
Trap 3: Reviewing the software's technical architecture
Focuses on technical fit, not functional.
- A
Conducting a vendor demonstration
Why wrong: Useful but may not reveal gaps.
- B
Developing a project plan with milestones
Why wrong: Important but not the most important for requirements.
- C
Performing a gap analysis between requirements and software features
Directly addresses requirements coverage.
- D
Reviewing the software's technical architecture
Why wrong: Focuses on technical fit, not functional.
In a traditional waterfall SDLC, when should the test plan be developed?
Trap 1: During the implementation phase
Too late.
Trap 2: During the coding phase
Too late for effective planning.
Trap 3: During the requirements phase
Possible but design phase is more typical.
- A
During the implementation phase
Why wrong: Too late.
- B
During the coding phase
Why wrong: Too late for effective planning.
- C
During the requirements phase
Why wrong: Possible but design phase is more typical.
- D
During the design phase
Allows integration with design.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.