Question 306 of 509

Quick Answer

The answer is to re-estimate the sprint and include PII redaction as a top priority, adjusting the schedule accordingly. This is correct because agile risk management demands that critical compliance vulnerabilities, such as PII exposure violating privacy laws, be treated as the highest-priority user story; deferring redaction to a future sprint would leave an unacceptable legal risk unmitigated, and the IS auditor’s role is to ensure immediate re-prioritization over schedule preservation. On the CISA exam, this scenario tests your understanding of how agile frameworks handle emergent high-severity risks—specifically that compliance-driven PII redaction compliance agile priority must override release cadence, and the common trap is choosing to defer the fix to maintain the sprint timeline. Remember the memory tip: “Compliance cracks the sprint—re-estimate, don’t delay.”

CISA Practice Question: Information Systems Acquisition, Development and Implementation

This CISA practice question tests your understanding of information systems acquisition, development and implementation. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A government agency is developing a case management system for law enforcement. The project follows an agile approach, releasing iterations every two weeks. During a sprint demo, users discover that the system does not redact personally identifiable information (PII) in documents shared with external parties, violating privacy laws. The development team says they planned to add redaction in a future sprint. The product owner wants to prioritize PII redaction immediately. The project manager is concerned that this will disrupt the release schedule. The IS auditor is assessing the project's risk management. Which of the following is the BEST recommendation?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

  • Clue: "immediately / without restart"

    Why it matters: Time or reboot constraint — the correct answer must take effect right away without requiring a reboot or reload.

Question 1hardmultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Re-estimate the sprint and include PII redaction as a top priority, adjusting the schedule accordingly.

Option C is correct because it aligns with agile risk management principles: when a critical compliance vulnerability (PII exposure) is discovered, the highest-priority user story must be re-estimated and inserted into the current sprint backlog, even if it means adjusting the release schedule. The IS auditor’s focus is on ensuring that the risk is actively mitigated, not deferred, and re-prioritization is the standard agile response to newly identified high-severity risks.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Implement network-level restrictions to prevent external sharing.

    Why it's wrong here

    Addresses symptom but not the root cause.

  • Provide users with training on manual redaction as a workaround.

    Why it's wrong here

    Not a sustainable control.

  • Re-estimate the sprint and include PII redaction as a top priority, adjusting the schedule accordingly.

    Why this is correct

    Balances compliance and schedule.

    Clue confirmation

    The clue words "best", "immediately / without restart" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Document the risk and accept the compliance exposure until the planned sprint.

    Why it's wrong here

    Compliance criticality requires immediate action.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates may confuse risk acceptance (Option D) with a valid agile practice, but the IS auditor must prioritize compliance over schedule, and deferring a legal violation is not acceptable risk management when a feasible mitigation exists.

Detailed technical explanation

How to think about this question

In agile risk management, the product backlog is continuously refined based on new information; a PII redaction feature typically involves implementing automated regex-based or machine-learning-based redaction algorithms that scan document fields (e.g., SSN, case numbers) and replace them with placeholders before export. Real-world law enforcement systems often integrate with redaction libraries (e.g., Apache Tika or custom NLP models) that must be tested for false positives/negatives, and re-estimating the sprint ensures the team allocates time for both development and security testing of that feature.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A practitioner preparing for the CISA exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CISA practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CISA practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CISA question test?

Information Systems Acquisition, Development and Implementation — This question tests Information Systems Acquisition, Development and Implementation — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Re-estimate the sprint and include PII redaction as a top priority, adjusting the schedule accordingly. — Option C is correct because it aligns with agile risk management principles: when a critical compliance vulnerability (PII exposure) is discovered, the highest-priority user story must be re-estimated and inserted into the current sprint backlog, even if it means adjusting the release schedule. The IS auditor’s focus is on ensuring that the risk is actively mitigated, not deferred, and re-prioritization is the standard agile response to newly identified high-severity risks.

What should I do if I get this CISA question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "best", "immediately / without restart". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 25, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CISA practice question is part of Courseiva's free ISACA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CISA exam.