- A
Implement network-level restrictions to prevent external sharing.
Why wrong: Addresses symptom but not the root cause.
- B
Provide users with training on manual redaction as a workaround.
Why wrong: Not a sustainable control.
- C
Re-estimate the sprint and include PII redaction as a top priority, adjusting the schedule accordingly.
Balances compliance and schedule.
- D
Document the risk and accept the compliance exposure until the planned sprint.
Why wrong: Compliance criticality requires immediate action.
Quick Answer
The answer is to re-estimate the sprint and include PII redaction as a top priority, adjusting the schedule accordingly. This is correct because agile risk management demands that critical compliance vulnerabilities, such as PII exposure violating privacy laws, be treated as the highest-priority user story; deferring redaction to a future sprint would leave an unacceptable legal risk unmitigated, and the IS auditor’s role is to ensure immediate re-prioritization over schedule preservation. On the CISA exam, this scenario tests your understanding of how agile frameworks handle emergent high-severity risks—specifically that compliance-driven PII redaction compliance agile priority must override release cadence, and the common trap is choosing to defer the fix to maintain the sprint timeline. Remember the memory tip: “Compliance cracks the sprint—re-estimate, don’t delay.”
CISA Practice Question: Information Systems Acquisition, Development and Implementation
This CISA practice question tests your understanding of information systems acquisition, development and implementation. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A government agency is developing a case management system for law enforcement. The project follows an agile approach, releasing iterations every two weeks. During a sprint demo, users discover that the system does not redact personally identifiable information (PII) in documents shared with external parties, violating privacy laws. The development team says they planned to add redaction in a future sprint. The product owner wants to prioritize PII redaction immediately. The project manager is concerned that this will disrupt the release schedule. The IS auditor is assessing the project's risk management. Which of the following is the BEST recommendation?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"best"Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
Clue:
"immediately / without restart"Why it matters: Time or reboot constraint — the correct answer must take effect right away without requiring a reboot or reload.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Re-estimate the sprint and include PII redaction as a top priority, adjusting the schedule accordingly.
Option C is correct because it aligns with agile risk management principles: when a critical compliance vulnerability (PII exposure) is discovered, the highest-priority user story must be re-estimated and inserted into the current sprint backlog, even if it means adjusting the release schedule. The IS auditor’s focus is on ensuring that the risk is actively mitigated, not deferred, and re-prioritization is the standard agile response to newly identified high-severity risks.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Implement network-level restrictions to prevent external sharing.
Why it's wrong here
Addresses symptom but not the root cause.
- ✗
Provide users with training on manual redaction as a workaround.
Why it's wrong here
Not a sustainable control.
- ✓
Re-estimate the sprint and include PII redaction as a top priority, adjusting the schedule accordingly.
Why this is correct
Balances compliance and schedule.
Clue confirmation
The clue words "best", "immediately / without restart" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Document the risk and accept the compliance exposure until the planned sprint.
Why it's wrong here
Compliance criticality requires immediate action.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates may confuse risk acceptance (Option D) with a valid agile practice, but the IS auditor must prioritize compliance over schedule, and deferring a legal violation is not acceptable risk management when a feasible mitigation exists.
Detailed technical explanation
How to think about this question
In agile risk management, the product backlog is continuously refined based on new information; a PII redaction feature typically involves implementing automated regex-based or machine-learning-based redaction algorithms that scan document fields (e.g., SSN, case numbers) and replace them with placeholders before export. Real-world law enforcement systems often integrate with redaction libraries (e.g., Apache Tika or custom NLP models) that must be tested for false positives/negatives, and re-estimating the sprint ensures the team allocates time for both development and security testing of that feature.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A practitioner preparing for the CISA exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Information Systems Acquisition, Development and Implementation — study guide chapter
Learn the concepts, then practise the questions
- →
Information Systems Acquisition, Development and Implementation practice questions
Targeted practice on this topic area only
- →
All CISA questions
509 questions across all exam domains
- →
Certified Information Systems Auditor CISA study guide
Full concept coverage aligned to exam objectives
- →
CISA practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related CISA practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Governance and Management of IT practice questions
Practise CISA questions linked to Governance and Management of IT.
Information Systems Acquisition, Development and Implementation practice questions
Practise CISA questions linked to Information Systems Acquisition, Development and Implementation.
Information Systems Operations and Business Resilience practice questions
Practise CISA questions linked to Information Systems Operations and Business Resilience.
Protection of Information Assets practice questions
Practise CISA questions linked to Protection of Information Assets.
Information System Auditing Process practice questions
Practise CISA questions linked to Information System Auditing Process.
CISA fundamentals practice questions
Practise CISA questions linked to CISA fundamentals.
CISA scenario practice questions
Practise CISA questions linked to CISA scenario.
CISA troubleshooting practice questions
Practise CISA questions linked to CISA troubleshooting.
Practice this exam
Start a free CISA practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this CISA question test?
Information Systems Acquisition, Development and Implementation — This question tests Information Systems Acquisition, Development and Implementation — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Re-estimate the sprint and include PII redaction as a top priority, adjusting the schedule accordingly. — Option C is correct because it aligns with agile risk management principles: when a critical compliance vulnerability (PII exposure) is discovered, the highest-priority user story must be re-estimated and inserted into the current sprint backlog, even if it means adjusting the release schedule. The IS auditor’s focus is on ensuring that the risk is actively mitigated, not deferred, and re-prioritization is the standard agile response to newly identified high-severity risks.
What should I do if I get this CISA question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "best", "immediately / without restart". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 25, 2026
This CISA practice question is part of Courseiva's free ISACA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CISA exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.