Certified Information Systems Auditor CISA (CISA) — Questions 151225

509 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
Multi-Selectmedium

Which TWO of the following are the MOST effective controls to prevent unauthorized changes to production data?

Select 2 answers
A.Requiring change management approval for all production changes
B.Enforcing segregation of duties between development and production
C.Implementing audit logging of all data changes
D.Encrypting production data at rest
E.Using automated testing for all code changes
AnswersA, B

Ensures changes are authorized before implementation.

Why this answer

Requiring change management approval for all production changes is a preventive control that ensures every modification to production data is formally authorized, reviewed, and documented before implementation. This directly prevents unauthorized changes by enforcing a gatekeeping process where only approved changes proceed, reducing the risk of data integrity breaches. Without this control, even with other safeguards, an attacker or insider could bypass technical controls by simply requesting a change through official channels.

Exam trap

ISACA often tests the distinction between preventive and detective controls, and the trap here is that candidates mistakenly choose audit logging (a detective control) as a preventive measure because it provides evidence of changes, but it does not stop unauthorized changes from occurring.

152
MCQeasy

An organization is implementing a new IT governance framework. Which of the following is the PRIMARY benefit of aligning IT strategy with business strategy?

A.Increased technical efficiency
B.Improved resource allocation
C.Reduced IT costs
D.Enhanced security posture
AnswerB

Correct. Alignment ensures IT resources are focused on business priorities.

Why this answer

Option A is correct because aligning IT strategy with business strategy ensures that IT investments and initiatives directly support business goals, improving resource allocation and value delivery. Option B is incorrect because cost reduction is a possible outcome but not the primary benefit. Option C is incorrect because technical efficiency is an operational concern.

Option D is incorrect because security posture is one aspect but not the primary benefit.

153
MCQhard

A multinational corporation is implementing a bring your own device (BYOD) policy. Which of the following is the most important security control to ensure corporate data is protected on employee devices?

A.Require employees to install antivirus software.
B.Prohibit the use of personal devices for work.
C.Mandate full-device encryption.
D.Implement mobile device management (MDM) with containerization.
AnswerD

Correct. Containerization segregates corporate data and enables selective wipe without affecting personal data.

Why this answer

Option D is correct because Mobile Device Management (MDM) with containerization creates a separate, encrypted workspace on the employee's device that isolates corporate data from personal data. This ensures that the organization can enforce security policies (e.g., remote wipe, access controls) on the corporate container without affecting the user's personal information, which is critical for BYOD environments where full-device control is not feasible.

Exam trap

The trap here is that candidates often confuse full-device encryption (Option C) as sufficient for BYOD, failing to recognize that encryption alone does not provide data segregation or selective wipe capabilities, which are essential for protecting corporate data on a device the organization does not fully own.

How to eliminate wrong answers

Option A is wrong because antivirus software alone cannot prevent data leakage or enforce access controls on corporate data; it only protects against malware and does not address the core requirement of data segregation on a shared device. Option B is wrong because prohibiting personal devices for work directly contradicts the BYOD policy being implemented, making it a policy rejection rather than a security control. Option C is wrong because full-device encryption protects data at rest but does not separate corporate data from personal data; in a BYOD scenario, the organization would have no control over the user's personal apps or data, and a remote wipe would erase everything, including personal content.

154
MCQhard

A financial services organization recently experienced a data breach where customer financial records were exfiltrated. The investigation reveals that an attacker gained access through a compromised privileged account belonging to a database administrator. The attacker used valid credentials to log into the database server and then exported a large volume of data using native database tools. The security team notes that the organization has multi-factor authentication (MFA) enabled for all remote access, but the database server was accessed from an internal IP address. The organization also has a data loss prevention (DLP) system, but it did not alert on the export because the traffic was encrypted. The database activity monitoring (DAM) system did log the export, but alerts were not reviewed due to high volume and many false positives. Which of the following would have been most effective in preventing this breach?

A.Deploying a DLP solution that can inspect encrypted traffic via SSL interception
B.Implementing a privileged access management (PAM) solution that requires approval for elevated actions and records sessions
C.Segmenting the database server onto a separate network with strict firewall rules
D.Improving the database activity monitoring (DAM) alerting to reduce false positives
AnswerB

PAM controls and monitors privileged access, reducing the risk of misuse.

Why this answer

The breach occurred because a privileged database administrator account was compromised, and the attacker used native database tools to export data from an internal IP address, bypassing MFA. A privileged access management (PAM) solution would have required approval for elevated actions (e.g., exporting large volumes of data) and recorded the session, providing both preventive control (approval workflow) and detective control (session recording) to stop or immediately detect the abuse of valid credentials. This directly addresses the root cause—compromised privileged credentials—rather than relying on network or alerting controls that were circumvented.

Exam trap

The trap here is that candidates often focus on detection or network controls (DLP, segmentation, DAM) instead of recognizing that the root cause is the abuse of valid privileged credentials, which requires a preventive control like PAM that manages and monitors privileged access at the point of action.

How to eliminate wrong answers

Option A is wrong because SSL interception of encrypted traffic would not have prevented the breach; the attacker used native database tools over an encrypted connection from an internal IP, and DLP inspection of encrypted traffic would still need to decrypt and analyze the content, which is complex and may not block the export if the attacker uses legitimate database protocols. Option C is wrong because network segmentation with firewall rules would not prevent an attacker who already has valid credentials from an internal IP; the attacker was already on the internal network and could access the database server through permitted firewall rules. Option D is wrong because improving DAM alerting to reduce false positives would only improve detection, not prevention; the breach had already occurred by the time the alert was generated, and the attacker had already exfiltrated the data.

155
MCQeasy

What is the PRIMARY purpose of a post-implementation review?

A.To close the project budget and finalize costs
B.To evaluate the performance of the project team
C.To document lessons learned for future projects
D.To assess whether expected benefits were achieved
AnswerD

The post-implementation review determines if the system delivers the intended business value and helps identify areas for improvement.

Why this answer

The primary purpose of a post-implementation review (PIR) is to determine whether the system or project has delivered the expected business benefits, such as improved efficiency, cost savings, or enhanced functionality. This aligns with the IS auditor's focus on value realization and governance, ensuring that the investment achieved its intended objectives before the project is formally closed.

Exam trap

The trap here is that candidates confuse the PIR's primary purpose with the project closure process (Option A) or the team's performance evaluation (Option B), but CISA emphasizes that the review's core objective is to confirm that the system delivers the expected business value, not just to complete administrative tasks.

How to eliminate wrong answers

Option A is wrong because closing the project budget and finalizing costs is a financial closure activity that occurs during project closeout, not the primary goal of a PIR, which focuses on benefits realization. Option B is wrong because evaluating the performance of the project team is a human resource or project management task, often done during or immediately after project execution, whereas the PIR assesses the system's outcomes against business case criteria. Option C is wrong because documenting lessons learned is a secondary output of a PIR, but the primary purpose is to verify that expected benefits were achieved; lessons learned support future projects but do not validate the current investment's success.

156
MCQeasy

Based on the exhibit, what is the default retention period for data?

A.365 days
B.30 days for Legal role only
C.The policy does not specify a default period
D.30 days
AnswerA

Correct. The default retention period is 365 days.

Why this answer

Option B is correct because the JSON clearly shows 'retentionPeriodDays': 365. Option A is incorrect; 30 days is the extension for the Legal role. Option C is incorrect as the extension applies only to Legal.

Option D is incorrect because the policy explicitly specifies the default period.

157
MCQeasy

Which testing phase is MOST effective for validating that the system meets business needs?

A.User acceptance testing
B.Regression testing
C.Unit testing
D.Integration testing
AnswerA

UAT is performed by users to validate business requirements.

Why this answer

User acceptance testing (UAT) is the final phase of testing where actual end-users validate the system against real-world business requirements and workflows. It confirms that the system meets the agreed-upon business needs, functional specifications, and operational criteria before production deployment. Unlike technical testing phases, UAT focuses on business process alignment and user satisfaction.

Exam trap

ISACA often tests the misconception that integration testing or system testing validates business needs, but only UAT directly involves end-users and business stakeholders to confirm the system meets their operational requirements.

How to eliminate wrong answers

Option B (Regression testing) is wrong because it focuses on verifying that recent code changes have not broken existing functionality, not on validating business needs. Option C (Unit testing) is wrong because it tests individual components or modules in isolation at the developer level, ensuring code correctness but not business requirement alignment. Option D (Integration testing) is wrong because it validates that combined modules or systems work together correctly, but it does not assess whether the overall system satisfies business objectives or user expectations.

158
MCQmedium

A company plans to outsource its data center operations to a cloud service provider. What is the MOST important governance consideration for the board before finalizing the contract?

A.Select a provider with the lowest cost per transaction.
B.Negotiate the transfer of existing IT staff to the provider.
C.Ensure the contract includes clauses for regulatory compliance and audit rights.
D.Define a detailed exit strategy for transitioning to another provider.
AnswerC

Compliance and audit rights are critical for governance and oversight.

Why this answer

Option A is correct because the board must ensure regulatory compliance (e.g., data residency, security standards) is contractually enforced. Option B is wrong while important, it is operational. Option C is wrong because transfer of staff is an HR concern.

Option D is wrong because exit strategy is detailed but not the most critical for board.

159
Multi-Selectmedium

Which TWO of the following are key performance indicators (KPIs) for IT operations?

Select 2 answers
A.Number of unresolved incidents
B.Employee satisfaction score
C.Mean time to repair (MTTR)
D.System availability percentage
E.Budget variance
AnswersC, D

MTTR measures the efficiency of incident resolution.

Why this answer

Mean time to repair (MTTR) measures the average time taken to restore a failed IT service or component, directly reflecting operational efficiency and incident response effectiveness. It is a standard KPI for IT operations because it quantifies the speed of recovery, which is critical for minimizing downtime and maintaining service levels.

Exam trap

The trap here is that candidates confuse operational metrics (like unresolved incidents) with KPIs, or they mistakenly include non-operational metrics (like employee satisfaction or budget variance) that are relevant to other domains but not to IT operations performance.

160
MCQeasy

An organization is implementing a new financial system. Which of the following is the MOST important control to ensure data integrity during the data migration phase?

A.Conducting a post-implementation review
B.Implementing reconciliation controls between source and target
C.Encrypting data in transit
D.Performing user acceptance testing
AnswerB

Reconciliation ensures data completeness and accuracy.

Why this answer

Reconciliation controls between source and target systems are the most critical control for ensuring data integrity during migration because they provide a systematic method to verify that every record has been accurately transferred without loss, duplication, or corruption. This typically involves comparing record counts, hash totals, or checksums (e.g., using MD5 or SHA-256) between the legacy and new databases, and flagging any discrepancies for correction before the system goes live.

Exam trap

The trap here is that candidates often confuse data integrity controls with security controls (like encryption) or validation activities (like UAT), failing to recognize that reconciliation is the only option that directly verifies the accuracy and completeness of the migrated data itself.

How to eliminate wrong answers

Option A is wrong because a post-implementation review occurs after the migration is complete and cannot prevent or detect data integrity issues during the migration process itself; it is a retrospective evaluation, not a real-time control. Option C is wrong because encrypting data in transit (e.g., using TLS 1.3 or IPsec) protects confidentiality and prevents unauthorized interception, but it does not ensure that the data being transferred is accurate, complete, or uncorrupted. Option D is wrong because user acceptance testing (UAT) focuses on validating that the system meets functional requirements and user expectations, not on verifying the completeness and accuracy of migrated data at the record level.

161
MCQmedium

Refer to the exhibit. An auditor finds that users are able to reuse previous passwords easily. Which setting should be modified to address this weakness?

A.Increase the password history to 10
B.Increase the minimum password age to 7 days
C.Enable password expiration notifications
D.Increase the maximum password age to 30 days
AnswerA

Correct. A higher password history forces users to wait longer before reusing a password.

Why this answer

Increasing the password history setting (e.g., to 10) prevents users from reusing their most recent passwords by storing a specified number of previous password hashes. When a user attempts to change their password, the system compares the new password against the stored history and rejects it if it matches any of the remembered passwords. This directly addresses the weakness of easy password reuse.

Exam trap

The trap here is that candidates often confuse password history with password age settings, thinking that increasing the maximum password age or minimum password age will prevent reuse, when in fact only password history directly blocks the use of previously used passwords.

How to eliminate wrong answers

Option B is wrong because increasing the minimum password age to 7 days prevents users from changing passwords frequently to cycle back to an old password, but it does not prevent reuse of previous passwords after that period expires. Option C is wrong because enabling password expiration notifications only alerts users that their password will expire; it does not enforce any restriction on reusing old passwords. Option D is wrong because increasing the maximum password age to 30 days extends how long a password can be used before it must be changed, but it does not prevent the user from reusing a previous password when the change occurs.

162
MCQhard

What is the MOST significant weakness in the planned remediation?

A.The remediation only addresses a subset of projects.
B.The remediation may not eliminate the segregation of duties issue.
C.The remediation relies on technology rather than process.
D.The remediation does not include a compensating control.
AnswerB

An automated tool does not prevent the same developer from performing both coding and review if they run the tool.

Why this answer

Option C is correct because an automated code review tool may still be run by the same developer, not ensuring segregation of duties. The remediation does not address the root cause of the same person performing both tasks. Option A (only addresses subset) is not the most significant; the tool could be applied to all projects.

Option B (technology vs. process) is valid but secondary. Option D (no compensating control) is related but not as direct.

163
MCQmedium

A multinational corporation is deploying a new cloud-based collaboration platform for its 5,000 employees. The platform will store sensitive project data and intellectual property. The CISO mandates that all data must be encrypted at rest and in transit, and that access must be controlled via the company's identity provider (IdP) using SAML 2.0. During a pilot with the R&D department, the security team discovers that the platform's audit logs do not record failed login attempts from the IdP. The platform vendor states that the IdP is responsible for authentication, so the platform only logs successful assertions. The CISO is concerned about the lack of visibility into brute-force attacks. The company already has a SIEM that receives logs from the IdP and other sources. What is the BEST course of action?

A.Replace the cloud platform with one that provides built-in authentication logging
B.Enable detailed logging on the IdP for all authentication attempts and forward those logs to the SIEM for monitoring
C.Configure the cloud platform to require re-authentication for every session and log all authentication events locally
D.Implement a stricter password policy for the IdP to reduce the risk of brute-force attacks
AnswerB

The IdP can log failed attempts; forwarding to the SIEM provides the needed visibility.

Why this answer

Option B is correct because the IdP is the authoritative source for authentication events in a SAML 2.0 federated identity model. The cloud platform only receives and logs successful SAML assertions, so it cannot log failed login attempts. Enabling detailed logging on the IdP for all authentication attempts (successes and failures) and forwarding those logs to the SIEM provides the necessary visibility into brute-force attacks without changing the platform or architecture.

Exam trap

The trap here is that candidates assume the cloud platform should handle all logging, but in a SAML 2.0 federation, the IdP is the sole source of authentication event logs, and the platform only logs successful assertions.

How to eliminate wrong answers

Option A is wrong because replacing the cloud platform is unnecessary and costly; the existing architecture with SAML 2.0 is standard and the IdP is the correct place to log authentication events. Option C is wrong because requiring re-authentication for every session would severely degrade user experience and still would not cause the platform to log failed IdP authentication attempts, as the platform only processes successful assertions. Option D is wrong because a stricter password policy reduces the risk of successful brute-force attacks but does not provide the visibility into failed attempts that the CISO requires for monitoring and detection.

164
MCQhard

Based on the exhibit, which control deficiency is most critical for the IS auditor to address?

A.SSH is configured to allow root login
B.The admin user logged in successfully with a password
C.Public key authentication is not being used
D.The system lacks a policy to lock accounts after repeated failed login attempts
AnswerD

Correct. Multiple failed attempts for root from the same IP indicate a brute-force attack, and no lockout is evident.

Why this answer

Option D is the most critical deficiency because without an account lockout policy, the system is vulnerable to brute-force password guessing attacks. Even if other controls like SSH key authentication are missing, a lockout policy is a fundamental defense that directly mitigates repeated login attempts, which is a primary attack vector for gaining unauthorized access.

Exam trap

The trap here is that candidates often focus on technical misconfigurations like root login or missing public key authentication, overlooking the foundational security control of account lockout, which is a direct defense against brute-force attacks and is frequently tested as a critical deficiency in CISA exams.

How to eliminate wrong answers

Option A is wrong because while allowing root login via SSH is a security risk, it is less critical than the absence of a lockout policy; root login can be mitigated with other controls like key-based authentication and sudo restrictions. Option B is wrong because a successful password login by the admin user is expected behavior and not a control deficiency; the issue is the lack of stronger authentication methods, not the act of logging in. Option C is wrong because although public key authentication is more secure than password authentication, its absence is a weakness but not as immediately critical as the lack of a lockout policy, which leaves the system exposed to brute-force attacks regardless of authentication method.

165
MCQhard

Refer to the exhibit. Which of the following is the most significant risk associated with the backup policy for critical data?

A.Offsite backup storage is not configured
B.Retention period is insufficient to meet regulatory requirements
C.Backup frequency is too low to meet recovery point objectives
D.Encryption is not enabled for backup data
AnswerB

The policy retains backups for 30 days, but compliance requires 7 years. This is a critical gap.

Why this answer

Option B is correct because the backup policy shows a retention period of only 30 days, which is insufficient to meet common regulatory requirements such as GDPR, HIPAA, or SOX that often mandate retention of critical data for months or years. Without adequate retention, the organization risks non-compliance, legal penalties, and inability to produce historical records during audits or litigation.

Exam trap

The trap here is that candidates focus on operational risks like backup frequency or encryption, but the most significant risk is regulatory compliance failure due to insufficient retention, which can result in severe penalties and loss of business license.

How to eliminate wrong answers

Option A is wrong because offsite backup storage is not configured; while this increases risk of data loss during a site disaster, it is less significant than regulatory non-compliance, and the policy could still meet RPO/RTO with local backups. Option C is wrong because backup frequency (daily) is typically sufficient to meet common recovery point objectives (RPOs) of 24 hours or less, and the question does not indicate a tighter RPO requirement. Option D is wrong because encryption of backup data, while a security best practice, is not the most significant risk here; the policy does not mention encryption, but the primary concern is retention compliance, not data confidentiality at rest.

166
MCQhard

A multinational corporation is implementing a global IT governance framework. Which of the following challenges is MOST likely to arise?

A.Conflicting regulatory requirements
B.Standardizing hardware across regions
C.Training users on new procedures
D.Software licensing costs
AnswerA

Correct. Different legal environments require careful navigation.

Why this answer

Option C is correct because conflicting regulatory requirements across countries create the most significant challenge for a global framework. Options A, B, and D are all potential issues but are typically easier to manage compared to legal compliance.

167
MCQmedium

An IS auditor finds that a project failed to meet its objectives because key stakeholders were not involved in the requirements definition phase. Which phase of the SDLC was most neglected?

A.Requirements analysis
B.Development
C.Design
D.Testing
AnswerA

Stakeholder involvement is essential to define complete and accurate requirements.

Why this answer

The requirements analysis phase is where stakeholder needs are formally captured and documented. Without key stakeholder involvement, the project lacks a validated baseline of what must be built, leading to misaligned objectives and scope creep. The IS auditor’s finding directly points to a failure in this phase, as it is the only SDLC phase that defines the project’s success criteria from the user’s perspective.

Exam trap

The trap here is that candidates confuse the symptoms of failure (e.g., poor design or failed tests) with the root cause, which is always the phase where the input was missing—requirements analysis.

How to eliminate wrong answers

Option B is wrong because the development phase focuses on coding and building the system based on already-defined requirements; neglecting stakeholder input here would not cause the initial objective failure. Option C is wrong because the design phase translates requirements into technical specifications and architecture; if requirements were incomplete, design would be flawed, but the root cause remains the earlier phase. Option D is wrong because testing verifies that the system meets the documented requirements; it cannot compensate for missing or incorrect requirements that were never captured.

168
MCQmedium

An organization uses a cloud-based ERP system to manage financial transactions. The system is accessed by employees in finance, procurement, and sales departments. The IS auditor is reviewing the user access review process. The access review is performed quarterly by the IT manager using a report generated by the ERP system. The report lists all users and their roles. The IT manager manually checks off users who are still employed and approves the report. The auditor notes that the IT manager does not have detailed knowledge of job functions in each department. Additionally, the ERP system allows role combinations that may create segregation of duties conflicts, such as a user having both 'create purchase order' and 'approve purchase order' roles. The company's policy requires segregation of duties reviews to be performed by business process owners. Which of the following is the BEST recommendation?

A.Increase the frequency of access reviews to monthly
B.Implement an automated tool to identify segregation of duties conflicts
C.Assign the access review to business process owners from each department
D.Require the IT manager to obtain confirmation from each department head
AnswerC

Business owners understand the necessary segregation of duties.

Why this answer

The core issue is that the IT manager lacks the business process knowledge to assess whether role combinations create segregation of duties (SoD) conflicts. Company policy explicitly requires SoD reviews to be performed by business process owners. Assigning the access review to business process owners from each department (Option C) directly aligns with policy and ensures that those with functional knowledge evaluate whether role assignments violate SoD rules, such as a user having both 'create purchase order' and 'approve purchase order' roles.

Exam trap

The trap here is that candidates often choose an automated tool (Option B) as the 'best' technical solution, but the question emphasizes policy compliance and the need for business process owner involvement, not just technical detection.

How to eliminate wrong answers

Option A is wrong because increasing the frequency of reviews does not address the root cause—the reviewer lacks the business knowledge to identify SoD conflicts; monthly reviews by an unqualified reviewer would still miss conflicts. Option B is wrong because while an automated tool can flag potential SoD conflicts, the question asks for the BEST recommendation given the policy requirement that business process owners perform SoD reviews; automation is a supporting control, not a substitute for assigning the review to the correct personnel. Option D is wrong because requiring the IT manager to obtain confirmation from department heads still leaves the IT manager as the primary reviewer, which violates the policy that business process owners themselves should perform the review, and it introduces a reliance on indirect confirmation rather than direct ownership.

169
Multi-Selectmedium

An IS auditor is reviewing the design phase of a new procurement system. Which TWO of the following controls are MOST critical to include in the system design to prevent unauthorized purchases?

Select 2 answers
A.Mandatory approval workflows for purchase orders above a threshold.
B.Automated performance reports on purchase cycle times.
C.Segregation of duties between requisition and approval.
D.Real-time audit logging of all purchase transactions.
E.Encryption of purchase order data in transit.
AnswersA, C

Prevents unauthorized high-value purchases.

Why this answer

Mandatory approval workflows for purchase orders above a threshold are critical because they enforce a policy-based control that prevents unauthorized high-value purchases by requiring explicit authorization from a designated approver. This control is designed into the system to intercept transactions that exceed a predefined limit, ensuring that no single user can bypass financial authority limits.

Exam trap

The trap here is that candidates often confuse detective controls (like audit logging) or security controls (like encryption) with preventive controls that directly stop unauthorized actions, failing to recognize that only preventive controls like approval workflows and segregation of duties address the root cause of unauthorized purchases.

170
MCQmedium

An IS auditor is reviewing an organization's data classification policy. Which of the following findings is MOST critical?

A.Employees receive data classification training only once per year
B.Data classification is performed manually without automated tools
C.Sensitive data is not encrypted at rest
D.Data owners have not been identified for most data assets
AnswerD

Without data owners, classification cannot be enforced.

Why this answer

Without identified data owners, no one is accountable for classifying, protecting, or granting access to data assets. This foundational gap undermines the entire data classification policy, making it impossible to enforce controls like encryption or access reviews. The CISA emphasizes that data owner assignment is the first step in any data governance framework.

Exam trap

The trap here is that candidates focus on visible technical controls like encryption (Option C) rather than the foundational governance requirement of data ownership, which the CISA considers more critical for policy effectiveness.

How to eliminate wrong answers

Option A is wrong because annual training, while not ideal, is a common baseline and does not directly break the classification policy; the critical failure is lack of ownership, not training frequency. Option B is wrong because manual classification can be acceptable in small environments or as a starting point; automated tools are a control enhancement, not a requirement. Option C is wrong because encryption at rest is a technical safeguard that should be applied based on classification, but without identified data owners, the classification itself is unenforceable.

171
MCQhard

Refer to the exhibit. An IS auditor is reviewing an IAM policy for a cloud data platform. The auditor notices that user jdoe has READ_ONLY access to all tables matching 'sales_', but asmith has READ_WRITE access to the same set of tables. Which of the following is the MOST critical control issue?

A.Users should not be directly assigned roles; use groups
B.The roles data_analyst and data_scientist have overlapping permissions
C.User jdoe should not have access to the sales_ tables
D.The resource pattern '.*' in the regex could grant access to unintended tables
AnswerD

The pattern '.*' after 'sales_' matches any suffix, but the preceding '.*' in the dataset pattern is overly broad.

Why this answer

Option D is correct because the regex pattern '.*' in the resource block is overly permissive and could match unintended tables beyond the intended 'sales_' prefix. In AWS IAM policies, the resource element uses regex-like patterns, and '.*' after 'sales_' would match any characters, including tables like 'sales_archive_private' or 'sales_2024_sensitive', potentially exposing sensitive data. This violates the principle of least privilege and is a critical control issue.

Exam trap

ISACA often tests the misconception that direct user assignment or role overlap is the primary issue, when in fact the overly broad resource pattern is the most critical control weakness.

How to eliminate wrong answers

Option A is wrong because while using groups is a best practice, the direct assignment of roles to users is not inherently a critical control issue; the policy itself is flawed regardless of assignment method. Option B is wrong because overlapping permissions between roles is not inherently a control issue; roles can legitimately share permissions, and the question focuses on the policy's resource pattern, not role design. Option C is wrong because jdoe has READ_ONLY access to sales_ tables, which may be appropriate for a data analyst; the issue is not that jdoe should lose access, but that the regex pattern could grant unintended access to both users.

172
MCQhard

Which control failure is MOST significant?

A.Insufficient incident notification procedures
B.Lack of timely incident response
C.Delayed alerting
D.Inadequate monitoring
AnswerA

The 95-minute gap between alert and notification indicates a procedural failure.

Why this answer

Option D is correct because the delay in notifying the incident response team (from 14:25 to 16:00) is the most significant failure, as it allowed unauthorized access to continue. Option A is not a failure (alert timely); B is a factor but not the primary; C is secondary.

173
Drag & Dropmedium

Order the steps for conducting an audit engagement from start to finish.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Audit engagement follows: planning (scope, program), fieldwork, analysis, and reporting with management review.

174
Multi-Selecteasy

An IS auditor is reviewing a request for proposal (RFP) for a new system. Which TWO elements should be included in the RFP?

Select 2 answers
A.Confidentiality agreement
B.Vendor's financial stability information
C.Sample contract terms
D.Employee resumes for the proposed team
E.Detailed technical specifications
AnswersB, E

Financial stability helps assess vendor viability.

Why this answer

In an RFP for a new system, including the vendor's financial stability information (B) is critical to assess the vendor's long-term viability and ability to support the system over its lifecycle. This helps mitigate the risk of vendor failure or bankruptcy, which could disrupt operations and leave the organization with an unsupported system.

Exam trap

The trap here is that candidates may confuse the RFP's purpose with later procurement stages, incorrectly including contract terms or personnel details that are better suited for the proposal evaluation or negotiation phase.

175
MCQmedium

Refer to the exhibit. Which of the following statements is TRUE regarding this S3 bucket policy?

A.Anonymous read access is allowed only over HTTPS
B.The bucket is fully public for all actions
C.Write access is allowed over HTTP
D.Only authenticated users can access objects
AnswerA

The condition requires SecureTransport (HTTPS), and access is anonymous.

Why this answer

Option A is correct because the S3 bucket policy includes a condition `aws:SecureTransport` set to `true`, which explicitly denies any request that is not made over HTTPS. The `Effect: Allow` on the `Principal: "*"` grants anonymous read access, but the `Condition` block ensures that only HTTPS requests are permitted, making anonymous read access allowed only over HTTPS.

Exam trap

ISACA often tests the nuance that a policy granting anonymous access with a `Condition` block can still restrict the protocol, leading candidates to mistakenly think the bucket is fully public or that only authenticated users can access it.

How to eliminate wrong answers

Option B is wrong because the bucket policy only allows `s3:GetObject` (read) access, not all actions like `s3:PutObject`, `s3:DeleteObject`, etc., so the bucket is not fully public for all actions. Option C is wrong because the condition `aws:SecureTransport: false` would deny HTTP requests, and the policy explicitly denies requests that are not using HTTPS, so write access (which is not even granted) would be blocked over HTTP. Option D is wrong because the policy grants access to `Principal: "*"`, which includes anonymous (unauthenticated) users, not only authenticated users.

176
MCQeasy

During a post-implementation review of a financial system, an IS auditor finds that several critical reports are not being generated correctly. Which of the following should the auditor recommend FIRST?

A.Conduct a new round of user acceptance testing.
B.Review the system configuration and compare with user requirements.
C.Disable the incorrect reports and create manual workarounds.
D.Immediately patch the system to fix the report generation.
AnswerB

This directly addresses the root cause of incorrect reports.

Why this answer

Option A is correct because verifying the system configuration against user requirements is the logical first step. Option B may be needed later; C is premature; D is incorrect as acceptance testing should have been done earlier.

177
Multi-Selecteasy

An organization is implementing a data loss prevention (DLP) solution. Which TWO of the following are key considerations for effective DLP deployment?

Select 2 answers
A.Implementing DLP in monitoring mode initially to baseline traffic
B.Deploying DLP agents on all endpoints before defining policies
C.Encrypting all data at rest and in transit as a prerequisite
D.Classifying data based on sensitivity and criticality
E.Replacing user security awareness training with automated DLP
AnswersA, D

Monitoring first helps tune policies and reduce false positives.

Why this answer

Options A and B are correct. A: Classifying data based on sensitivity is fundamental to DLP policy creation. B: Starting with monitoring before blocking reduces false positives.

C: DLP is not a replacement for user training; it is a technical control. D: DLP should be deployed in phases, not organization-wide at once. E: Encryption is separate; DLP can detect but not enforce encryption for all data.

178
MCQeasy

An IS auditor is evaluating the effectiveness of an organization's change management process. Which of the following is the most important control to verify during the audit?

A.All changes are approved by the IT manager.
B.Emergency changes are documented after implementation.
C.A segregation of duties exists between development and production.
D.Change requests are prioritized by business impact.
AnswerC

Segregation of duties is a key preventive control.

Why this answer

Segregation of duties between development and production environments ensures that code cannot be directly moved from development to production without independent review and testing. This control prevents unauthorized or untested code from affecting live systems, which is a fundamental principle of change management. Without this separation, a developer could introduce malicious or defective code directly into production, bypassing all quality and security checks.

Exam trap

The trap here is that candidates often focus on approval or prioritization controls (options A and D) as the most important, overlooking the foundational technical control of segregation of duties that directly prevents unauthorized code from reaching production.

How to eliminate wrong answers

Option A is wrong because requiring all changes to be approved by the IT manager is a basic authorization control, but it does not address the more critical risk of unauthorized code being introduced directly into production; approval alone cannot prevent a developer from bypassing the process. Option B is wrong because while documenting emergency changes after implementation is a compensating control, it is not the most important control; the highest priority is preventing unauthorized changes from reaching production, which segregation of duties achieves. Option D is wrong because prioritizing change requests by business impact is a project management activity that helps allocate resources, but it does not enforce any technical barrier against unauthorized code movement or ensure the integrity of the production environment.

179
MCQmedium

During an audit, the IS auditor discovers that the audit log for a critical server is overwritten every 24 hours. The auditor wants to ensure logs are preserved for a longer period. Which of the following recommendations is most appropriate?

A.Implement a manual backup of logs daily
B.Reduce the logging level to minimize data
C.Increase the log size to retain more data
D.Configure the server to archive logs to a centralized log management system
AnswerD

Centralized archiving provides secure, long-term storage and facilitates analysis.

Why this answer

The most appropriate recommendation is to configure the server to archive logs to a centralized log management system. This ensures logs are preserved beyond the 24-hour overwrite window by sending them to a separate, persistent storage location, which also supports security monitoring, forensics, and compliance requirements. Centralized logging (e.g., using syslog, SIEM, or a dedicated log collector) provides redundancy, integrity checks, and long-term retention without relying on the local server's limited storage.

Exam trap

The trap here is that candidates may choose Option C (increase log size) thinking it solves the retention issue, but they overlook that it only postpones the overwrite rather than providing a permanent, auditable archive, which is the core requirement for compliance and forensic readiness.

How to eliminate wrong answers

Option A is wrong because implementing a manual backup of logs daily is error-prone, relies on human intervention, and does not guarantee logs are captured before the 24-hour overwrite cycle completes; it also lacks automation and scalability. Option B is wrong because reducing the logging level to minimize data would discard potentially critical security events, defeating the purpose of preserving logs for audit and investigation. Option C is wrong because increasing the log size only delays the overwrite cycle but does not solve the fundamental retention problem; logs will still be overwritten once the increased capacity is exhausted, and it does not provide off-site or centralized storage.

180
MCQmedium

An organization is implementing a new financial system and has completed user acceptance testing (UAT). The project manager reports that all critical defects have been fixed and retested, but several low-severity issues remain unresolved. What is the BEST course of action?

A.Document the unresolved defects as known issues in a risk acceptance form with a remediation plan, then proceed with go-live
B.Re-run all UAT test cases to ensure no regression occurs
C.Delay go-live until all defects are resolved
D.Obtain sign-off from business stakeholders acknowledging the risks and proceed with go-live
AnswerA

Best practice: formally track and accept residual risk.

Why this answer

Option A is correct because in a financial system implementation, low-severity issues that do not impair core financial processing or controls can be accepted as known risks. Documenting them with a remediation plan and proceeding with go-live aligns with ISACA’s guidance that UAT sign-off does not require zero defects, only that critical and high-severity defects are resolved. This approach balances business needs with risk management, avoiding unnecessary delays while ensuring accountability through formal risk acceptance.

Exam trap

The trap here is that candidates confuse 'all defects must be fixed before go-live' with proper risk management, failing to recognize that ISACA allows go-live with documented, accepted low-severity issues as long as critical defects are resolved and a remediation plan exists.

How to eliminate wrong answers

Option B is wrong because re-running all UAT test cases to check for regression is unnecessary and inefficient when only low-severity issues remain; regression testing should be targeted to affected areas, not a full re-execution. Option C is wrong because delaying go-live until all defects are resolved ignores the principle of risk-based decision-making—low-severity issues that do not affect critical functionality or compliance can be deferred without jeopardizing the system. Option D is wrong because obtaining sign-off from business stakeholders without a documented remediation plan or formal risk acceptance form leaves the organization without a clear accountability trail for tracking and resolving the known issues post-go-live.

181
MCQeasy

Based on the log, what is the MOST likely root cause of the backup failure?

A.Network connectivity issues
B.Incorrect backup schedule
C.Backup software corruption
D.Insufficient storage capacity
AnswerD

The target directory is full, causing the failure.

Why this answer

Option D is correct because the log clearly indicates the target directory is full. Options A, B, C are not indicated in the log.

182
Multi-Selecthard

Which THREE of the following are essential components of a data classification program?

Select 3 answers
A.Data retention and disposal schedules
B.Regular vulnerability scanning
C.Assignment of data owners
D.Standardized labeling guidelines
E.Implementation of database encryption
AnswersA, C, D

Retention schedules specify how long classified data must be kept and how to dispose of it.

Why this answer

Data retention and disposal schedules are essential to a data classification program because they define how long each classification level of data must be retained and the secure methods for its disposal (e.g., degaussing, cryptographic erasure, or physical shredding). This ensures that data is not kept beyond its useful life, reducing the risk of unauthorized access or legal non-compliance. Without these schedules, the classification program lacks the lifecycle management component necessary for operational security.

Exam trap

The trap here is that candidates confuse operational security controls (like vulnerability scanning or encryption) with the administrative and procedural components of a data classification program, which are specifically about defining ownership, labeling, and lifecycle management.

183
MCQeasy

A medium-sized e-commerce company recently suffered a ransomware attack that encrypted critical databases. The IT team restored systems from backups, but the incident exposed a lack of clear roles and responsibilities for incident response. The board has asked the IT governance committee to review and improve the incident response governance. The committee notes that while there is an incident response policy, it is not regularly tested, and staff are unsure of their roles. The company also lacks a formal communication protocol for notifying stakeholders. What should the committee prioritize to strengthen governance over incident response?

A.Invest in advanced endpoint detection and response tools.
B.Outsource incident response to a managed security service provider.
C.Define and communicate clear roles and responsibilities for incident response, and establish accountability.
D.Conduct a tabletop exercise to test the current plan.
AnswerC

Clear governance structure is foundational.

Why this answer

Option A is correct because a governance framework must include clear roles, responsibilities, and accountability, which is the root cause. Option B is wrong because technology alone does not fix governance gaps. Option C is wrong while testing is valuable, it should follow role definition.

Option D is wrong because outsourcing does not address internal governance deficiencies.

184
MCQhard

An organization is adopting an agile development methodology for a new financial application. During a sprint review, the product owner expresses concern that the system does not enforce segregation of duties (SoD). The development team argues that SoD will be addressed in a future sprint. As the IS auditor, what is the BEST recommendation?

A.Suggest that the product owner accept the residual risk.
B.Insist that SoD be implemented in the next sprint.
C.Accept the team's plan and document the risk.
D.Require immediate implementation of SoD in this sprint.
AnswerB

SoD should be addressed as soon as possible.

Why this answer

In agile development, security and compliance requirements like segregation of duties (SoD) must be addressed as early as possible, especially for a financial application where regulatory compliance is critical. Delaying SoD to a future sprint introduces significant risk and violates the principle of 'secure by design.' The IS auditor's best recommendation is to insist that SoD be implemented in the next sprint, ensuring that the control is prioritized and integrated into the development lifecycle without waiting for an indefinite future iteration.

Exam trap

The trap here is that candidates may confuse 'accepting the risk' (Option A) with a valid risk management approach, but in this context, the auditor must advocate for timely implementation of a critical control rather than deferring to the product owner's risk appetite.

How to eliminate wrong answers

Option A is wrong because suggesting the product owner accept residual risk abdicates the auditor's responsibility to enforce critical controls; SoD is a fundamental internal control for financial systems, not a discretionary risk. Option C is wrong because accepting the team's plan and documenting the risk without escalation allows a high-severity control deficiency to persist, which could lead to fraud or regulatory non-compliance. Option D is wrong because requiring immediate implementation in the current sprint may be impractical if the sprint is already committed to other user stories, and it ignores the agile principle of prioritizing work in the next sprint planning session.

185
MCQeasy

A small business wants to protect customer data stored on a local file server. Which of the following is the MOST cost-effective control to prevent unauthorized access?

A.Enable detailed audit logs
B.Configure file-level permissions
C.Implement full-disk encryption
D.Deploy biometric authentication
AnswerB

File permissions are a direct and low-cost way to control access.

Why this answer

Configuring file-level permissions (e.g., NTFS permissions on Windows or POSIX ACLs on Linux) is the most cost-effective control because it directly restricts which users or groups can read, write, or modify specific files and folders on the server. This granular access control prevents unauthorized access without requiring additional hardware or complex management, making it ideal for a small business with limited budget.

Exam trap

The trap here is that candidates often confuse detective controls (audit logs) or encryption (which protects data at rest) with preventive access controls, leading them to choose a more expensive or less effective option instead of the simple, direct file permission configuration.

How to eliminate wrong answers

Option A is wrong because audit logs only record access events after they occur; they do not prevent unauthorized access in real time. Option C is wrong because full-disk encryption protects data at rest if the physical disk is stolen, but it does not control access while the server is running and the OS is booted. Option D is wrong because biometric authentication is expensive to deploy and maintain, and it addresses authentication at the system level rather than directly controlling access to specific files on the server.

186
MCQmedium

An organization is implementing a data loss prevention (DLP) solution. Which of the following is the BEST approach to reduce false positives during initial deployment?

A.Use default policies without modification
B.Limit scope to one department to minimize noise
C.Deploy in monitor-only mode and analyze alerts for a period
D.Block all sensitive data transmissions immediately
AnswerC

Monitor-only mode allows policy tuning without impact.

Why this answer

Deploying a DLP solution in monitor-only mode allows the organization to observe what data is being transmitted and generate alerts without blocking any traffic. This enables security teams to analyze the alerts against actual business workflows, fine-tune policies, and eliminate false positives before moving to an active enforcement mode. It is a best practice for initial deployment to avoid disrupting legitimate business operations.

Exam trap

The trap here is that candidates may think limiting scope (Option B) is the best way to reduce noise, but the question asks for the best approach to reduce false positives, and monitor-only mode provides the necessary feedback loop to tune policies before enforcement, whereas limiting scope only reduces volume, not the false positive rate.

How to eliminate wrong answers

Option A is wrong because default policies are generic and not tailored to the organization's specific data types, workflows, or user behavior, which typically results in a high volume of false positives and potential missed detections. Option B is wrong because limiting scope to one department reduces the overall visibility and may miss data loss events in other departments, while still generating false positives within that department due to untuned policies. Option D is wrong because immediately blocking all sensitive data transmissions without first understanding normal traffic patterns will almost certainly disrupt legitimate business processes and cause significant operational impact.

187
MCQeasy

Refer to the exhibit. The IS auditor reviews the router's version output during an audit. What is the MOST significant finding?

A.The router was returned to ROM by power-on.
B.The router has been running for over two years without a reboot.
C.The system image is stored in flash memory.
D.The IOS version is outdated and may contain security vulnerabilities.
AnswerD

Outdated software is a critical finding.

Why this answer

The most significant finding is that the IOS version is outdated and may contain security vulnerabilities. An outdated IOS version can have known exploits that compromise the router's security, which is a critical risk for the organization. While other options describe operational states, they do not present the same level of immediate security threat as running unsupported or vulnerable firmware.

Exam trap

The trap here is that candidates focus on operational details like uptime or boot process (options A and B) instead of recognizing that an outdated IOS version is a direct security risk, which is the most significant finding in an audit context.

How to eliminate wrong answers

Option A is wrong because 'returned to ROM by power-on' is a normal boot process message indicating the router loaded the IOS from ROM after a power cycle, not a security finding. Option B is wrong because a router running for over two years without a reboot is not inherently a security issue; uptime alone does not indicate vulnerabilities or misconfigurations. Option C is wrong because storing the system image in flash memory is standard practice for Cisco routers and is not a finding; it is the expected location for the IOS image.

188
MCQhard

A multinational corporation is evaluating its IT governance structure. The board wants to ensure that IT investments are prioritized based on risk and value. Which framework component is MOST critical?

A.Service level agreements
B.Balanced scorecard
C.IT steering committee
D.Portfolio management process
AnswerD

This process evaluates and ranks investments by risk and value.

Why this answer

A portfolio management process systematically evaluates and prioritizes investments based on risk and value, aligning with board objectives. Steering committee provides oversight, but portfolio management is the mechanism for prioritization.

189
MCQeasy

A mid-sized company is implementing a new IT service management (ITSM) tool to improve incident management. The IT manager wants to ensure that the tool aligns with ITIL best practices. The company has a dedicated service desk team that handles about 200 incidents per week. The IT manager is considering whether to implement a self-service portal for users to submit incidents and check status, or to continue using email-based incident reporting. The service desk team is concerned that a self-service portal might reduce their direct interaction with users and potentially lead to less personalized support. However, the IT manager believes that a portal could improve efficiency and tracking. The company's IT governance framework requires that any major IT investment be approved by the steering committee and that there be a clear business case. The IT manager has prepared a business case but the steering committee wants to ensure that the solution is aligned with ITIL and that it addresses key incident management processes. Which of the following is the most appropriate next step for the IT manager?

A.Implement the self-service portal immediately to improve efficiency, then present the business case later.
B.Conduct a process review with stakeholders to define requirements based on ITIL guidelines before selecting a tool.
C.Proceed with the self-service portal without further review because it is clearly beneficial.
D.Abandon the self-service portal idea and continue with email-based reporting.
AnswerB

This ensures alignment with ITIL and addresses concerns through stakeholder involvement.

Why this answer

Option B is correct because ITIL best practices emphasize that process design should precede tool selection. Conducting a process review with stakeholders ensures the self-service portal aligns with defined incident management workflows, such as categorization, prioritization, and escalation, before committing to a specific tool. This step also satisfies the IT governance requirement for a clear business case by validating requirements against ITIL guidelines.

Exam trap

The trap here is that candidates may assume any self-service portal automatically improves efficiency and aligns with ITIL, but CISA tests the principle that process definition must precede tool selection to ensure governance and best practice alignment.

How to eliminate wrong answers

Option A is wrong because implementing the portal immediately without presenting the business case violates the IT governance framework requiring steering committee approval for major IT investments, and it risks deploying a tool that does not align with ITIL-defined incident management processes. Option C is wrong because proceeding without further review ignores the service desk team's concerns about reduced personalization and fails to ensure the portal supports ITIL processes like incident categorization and SLA tracking, which could lead to inefficiencies. Option D is wrong because abandoning the portal idea outright dismisses the potential efficiency gains and tracking improvements that a properly designed self-service portal can provide, and it does not address the need to align with ITIL best practices.

190
Multi-Selectmedium

Which TWO of the following are key controls that an IS auditor should expect to find in a well-managed system development life cycle (SDLC)?

Select 2 answers
A.Segregation of duties between development and testing.
B.Vendor due diligence reports.
C.Formal change control process for code changes.
D.Automated unit testing scripts.
E.Gantt chart for project scheduling.
AnswersA, C

Ensures independent verification and reduces risk of errors.

Why this answer

Segregation of duties between development and testing is a key control because it ensures that code is independently verified before release, preventing developers from approving their own changes and reducing the risk of undetected defects or malicious code. In a well-managed SDLC, this separation enforces an independent testing phase, which is critical for maintaining code integrity and security.

Exam trap

The trap here is that candidates confuse project management artifacts (like Gantt charts) or development tools (like unit test scripts) with actual controls, but the CISA exam focuses on controls that enforce separation of duties and formal change management, not on the tools or schedules used to manage the project.

191
MCQhard

A multinational corporation is implementing a global HR system. The project team decides to use a pilot implementation in one region before rolling out to others. What is the PRIMARY risk if the pilot region is not representative of the entire organization?

A.The pilot team may become overly confident.
B.The pilot may run over budget due to unexpected challenges.
C.Issues relevant to other regions may remain undetected.
D.The implementation schedule will be delayed.
AnswerC

Pilot should reveal all potential issues; a non-representative pilot misses them.

Why this answer

The primary risk of a non-representative pilot is that region-specific variations in regulatory, cultural, or technical infrastructure (e.g., data privacy laws like GDPR, local labor regulations, or network latency) will not be exercised. This means defects or integration failures that are unique to other regions remain hidden until full rollout, undermining the pilot's purpose as a risk-reduction mechanism. Option C directly captures this core risk of undetected issues.

Exam trap

The trap here is that candidates confuse a secondary consequence (like budget overruns or delays) with the primary risk, which is the failure to detect region-specific issues that could cause catastrophic failures during full rollout.

How to eliminate wrong answers

Option A is wrong because pilot team overconfidence is a secondary human-factor risk, not the primary technical risk of a non-representative sample; the pilot could still surface issues even if the team is overconfident. Option B is wrong because unexpected challenges in a non-representative pilot are less likely to cause budget overruns (the pilot may actually be too easy), and the primary risk is about undetected issues, not cost. Option D is wrong because schedule delays are a possible consequence of undetected issues, but the primary risk is the failure to detect those issues in the first place, not the delay itself.

192
MCQhard

An IS auditor reviews the change request. Which of the following is the most significant risk?

A.The description is too vague
B.The approval is still pending close to the scheduled date
C.The impact assessment is incorrect
D.The change affects a financial module
AnswerC

Interest calculation is a critical financial function; labeling it as low impact may lead to insufficient testing and controls.

Why this answer

An incorrect impact assessment (Option C) is the most significant risk because it directly undermines the change management process. If the impact is misjudged, the change may introduce unanticipated failures, data corruption, or security vulnerabilities into the production environment. Unlike vague descriptions or pending approvals, an incorrect impact assessment can lead to catastrophic system outages or compliance violations that are difficult to reverse.

Exam trap

The trap here is that candidates often focus on the obvious procedural flaw (pending approval) or the high-profile module (financial), rather than recognizing that an incorrect impact assessment is the root cause that can make any change disastrous regardless of other factors.

How to eliminate wrong answers

Option A is wrong because a vague description, while undesirable, is a documentation issue that can often be clarified during implementation or testing; it does not inherently introduce technical risk to the system. Option B is wrong because pending approval close to the scheduled date is a process timing risk that can be mitigated by rescheduling or expediting approval; it does not directly threaten system integrity or security. Option D is wrong because the change affecting a financial module is a contextual factor, not a risk itself—the risk lies in how the change is assessed and implemented, not in which module it touches.

193
MCQeasy

Which of the following is the PRIMARY purpose of a data classification scheme?

A.To enable encryption of all sensitive data
B.To meet regulatory compliance requirements
C.To define data retention periods
D.To ensure appropriate security controls are applied based on data sensitivity
AnswerD

Classification drives protection.

Why this answer

A data classification scheme assigns sensitivity labels (e.g., public, internal, confidential, restricted) to information assets. Its primary purpose is to ensure that appropriate security controls—such as access control lists, encryption strength, and monitoring—are applied proportionally to the data's sensitivity. Without classification, controls would be either insufficient for high-risk data or overly restrictive for low-risk data, undermining both security and operational efficiency.

Exam trap

The trap here is that candidates mistake a downstream benefit (like enabling encryption or meeting compliance) for the primary purpose, when the core goal is to drive risk-based security control selection based on data sensitivity.

How to eliminate wrong answers

Option A is wrong because enabling encryption of all sensitive data is a specific control outcome, not the primary purpose of classification; classification informs which data requires encryption, but the scheme itself does not enforce encryption. Option B is wrong because meeting regulatory compliance requirements is a benefit or driver for classification, but not its primary purpose; compliance mandates often require classification, but the scheme's core goal is to guide control selection, not merely to check a compliance box. Option C is wrong because defining data retention periods is a separate data lifecycle management function typically governed by a retention policy or schedule, not by the classification scheme; classification labels may influence retention, but the primary purpose is not to set retention durations.

194
Drag & Dropmedium

Order the steps for conducting a business impact analysis (BIA) in the correct sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

BIA steps: identify processes, define recovery objectives, assess impact, prioritize, and document.

195
MCQhard

A multinational corporation has defined its risk appetite as 'moderate' for IT investments. The IT steering committee is evaluating a new project with potential high returns but also significant cybersecurity risks. The project's risk profile is assessed as 'high' by the risk management team. What should the committee do FIRST?

A.Request the project team to identify risk mitigation measures.
B.Approve the project but increase monitoring.
C.Escalate the decision to the board of directors.
D.Reject the project immediately as it exceeds risk appetite.
AnswerA

First, see if risk can be reduced to align with appetite.

Why this answer

Option D is correct because if the risk exceeds appetite, risk mitigation measures should be explored to bring it to an acceptable level. Option A is wrong because rejecting outright without considering mitigation may miss valuable opportunities. Option B is wrong because escalating to the board should be after mitigation options are considered.

Option C is wrong because approving as is violates risk appetite.

196
MCQeasy

An organization wants to ensure that its backup tapes are protected from unauthorized access. Which of the following is the MOST effective control?

A.Physical locks on the tape library
B.Encryption of the backup data
C.Access control lists on the backup server
D.Offsite storage of tapes
AnswerB

Correct: Encryption renders data unreadable without the key.

Why this answer

Encryption protects data confidentiality even if physical security is breached. Physical locks, access controls, and offsite storage are important but do not protect against all threats like theft during transit.

197
MCQhard

Refer to the exhibit. Which perspective shows the greatest deviation from target?

A.Customer
B.Learning & Growth
C.Financial
D.Internal Process
AnswerB

20% below target, the largest deviation.

Why this answer

Learning & Growth is 30 hours short of 150 (20% deficit), while Financial is 10% short, Internal Process is 4% short, and Customer exceeds target. Thus, Learning & Growth has the largest negative gap.

198
MCQmedium

A university is implementing a new student information system. The project team uses an iterative development approach. During user acceptance testing, students report that the online course registration portal crashes when more than 100 users register simultaneously. The development team identifies a database connection pooling issue and estimates a fix will take three weeks. The project deadline is in two weeks. The project manager suggests deploying the system as is and fixing the issue after go-live, as the crash is rare. The IS auditor is consulted. What should the auditor recommend?

A.Delay the go-live until the defect is fixed and user acceptance testing is passed.
B.Document the risk and proceed with the go-live, planning to fix later.
C.Deploy on time but restrict registration to fewer than 100 students per session.
D.Implement a temporary increase in server capacity to handle the load.
AnswerA

Critical defect must be resolved before deployment.

Why this answer

Option A is correct because deploying a system with a known critical defect that fails under expected load conditions violates the principle of delivering a reliable and secure system. The database connection pooling issue causes the portal to crash under concurrent user load, which is a functional failure that directly impacts business operations. Delaying go-live ensures the defect is fixed and user acceptance testing (UAT) is fully passed, aligning with the IS auditor's responsibility to recommend risk mitigation over acceptance of a preventable failure.

Exam trap

The trap here is that candidates may assume a 'rare' crash can be accepted as a post-go-live fix, but the IS auditor must recognize that the crash occurs under a specific, predictable load threshold that is likely to be exceeded during normal operations, making it a high-risk defect that requires pre-deployment resolution.

How to eliminate wrong answers

Option B is wrong because documenting the risk and proceeding without fixing the defect ignores the fact that the crash is not 'rare'—it occurs under a predictable load of 100 concurrent users, which is a realistic scenario for a university registration portal. Option C is wrong because restricting registration to fewer than 100 students per session is a manual workaround that does not address the underlying database connection pooling issue; it introduces operational complexity and still risks failure if the limit is accidentally exceeded. Option D is wrong because a temporary increase in server capacity (e.g., adding more CPU or memory) does not fix a database connection pooling defect—the crash is caused by connection exhaustion or misconfiguration in the connection pool library, not by insufficient hardware resources.

199
MCQmedium

A security auditor discovers that a server has been compromised due to an unpatched vulnerability. Which of the following would have most effectively prevented this incident?

A.Enabling firewall rules to limit access.
B.Implementing a vulnerability management program with regular patching.
C.Installing a host-based intrusion detection system (HIDS).
D.Using strong passwords on the server.
AnswerB

Correct. Regular patching addresses root cause by eliminating known vulnerabilities.

Why this answer

Option B is correct because a vulnerability management program with regular patching directly addresses the root cause of the compromise: the unpatched vulnerability. By systematically identifying, prioritizing, and applying security patches, the organization eliminates the known weakness that the attacker exploited. This proactive measure prevents the initial compromise, whereas other controls only detect or limit the attack after the vulnerability is exploited.

Exam trap

The trap here is that candidates often choose a detective or preventive control (like a firewall or HIDS) that mitigates the attack surface or detects the breach, rather than recognizing that patching is the only option that eliminates the root cause of the vulnerability itself.

How to eliminate wrong answers

Option A is wrong because firewall rules limit network access but do not fix the underlying unpatched vulnerability; an attacker who gains access through an allowed port or via an internal vector can still exploit the unpatched flaw. Option C is wrong because a host-based intrusion detection system (HIDS) only detects suspicious activity after the exploitation begins or has occurred, it does not prevent the initial compromise from an unpatched vulnerability. Option D is wrong because strong passwords protect against credential-based attacks, but they are irrelevant when the attacker bypasses authentication entirely by exploiting a software vulnerability that does not require valid credentials.

200
MCQmedium

Refer to the exhibit. The organization is planning to achieve the target level. What is the MOST appropriate action?

A.Assign a process owner
B.Implement process metrics and statistical controls
C.Conduct awareness training
D.Increase process documentation
AnswerB

Level 4 requires quantitative management.

Why this answer

To move from Level 3 (Established) to Level 4 (Predictable), the process must be measured and controlled using statistical techniques. Implementing metrics and statistical controls directly addresses the gap. Documentation, ownership, and training are earlier-level activities.

201
MCQeasy

Which of the following is the PRIMARY benefit of using a hardware security module (HSM) for key management?

A.It reduces the cost of key management.
B.It improves encryption speed.
C.It provides tamper-resistant storage for encryption keys.
D.It simplifies key distribution.
AnswerC

HSM provides secure key storage that is resistant to tampering.

Why this answer

The primary benefit of a hardware security module (HSM) is that it provides tamper-resistant, physically secured storage for encryption keys. HSMs are designed to protect keys from extraction or modification, even if an attacker gains physical access to the device, which is critical for maintaining the confidentiality and integrity of cryptographic operations. This aligns with the core purpose of an HSM: to safeguard the root of trust in a key management infrastructure.

Exam trap

The trap here is that candidates may confuse the security-focused purpose of an HSM with operational benefits like cost reduction or performance improvement, leading them to select options that describe side effects or unrelated advantages rather than the primary benefit.

How to eliminate wrong answers

Option A is wrong because HSMs typically increase the cost of key management due to the specialized hardware, certification, and maintenance required, not reduce it. Option B is wrong because HSMs are not primarily designed to improve encryption speed; in fact, they can introduce latency compared to software-based encryption, and their value lies in security, not performance. Option D is wrong because HSMs do not simplify key distribution; they are often used in conjunction with complex key distribution protocols (e.g., PKCS#11, KMIP) and may add operational overhead for secure key exchange.

202
Drag & Dropmedium

Order the steps for performing a data backup in the correct sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Backup process: identify data, choose method, schedule, execute/verify, and store offsite.

203
Multi-Selectmedium

Which of the following are key considerations when implementing a data classification policy? (Choose THREE.)

Select 3 answers
A.Encryption key management
B.Definition of classification categories
C.Backup frequency requirements
D.Handling and labeling procedures
E.Assignment of data owners
AnswersB, D, E

Categories (e.g., public, confidential) are essential.

Why this answer

Option B is correct because defining classification categories (e.g., Public, Internal, Confidential, Restricted) is the foundational step in a data classification policy. These categories establish the criteria for labeling and handling data based on sensitivity and criticality, directly enabling consistent protection controls across the organization.

Exam trap

ISACA often tests the distinction between policy-level definitions (classification categories, data owners, handling procedures) and operational controls (encryption, backup frequency), leading candidates to mistakenly select technical safeguards as key policy considerations.

204
Multi-Selectmedium

Which TWO of the following are key objectives of a post-implementation review of a new system?

Select 2 answers
A.Update the disaster recovery plan
B.Assess the project budget variance
C.Identify lessons learned for future projects
D.Evaluate vendor performance
E.Verify that the system meets user requirements
AnswersC, E

Lessons learned are a key output.

Why this answer

Option C is correct because a key objective of a post-implementation review (PIR) is to capture lessons learned from the project, which helps improve future system development and acquisition processes. This involves documenting what went well, what went wrong, and how processes can be refined, directly supporting continuous improvement in IT governance and project management.

Exam trap

The trap here is that candidates often confuse the PIR with project closure activities, mistakenly selecting budget variance or vendor evaluation as key objectives, when the PIR is specifically focused on verifying system effectiveness and capturing lessons learned for future projects.

205
MCQeasy

What is the FIRST step in implementing an identity and access management (IAM) program?

A.Selecting an IAM vendor.
B.Performing a user access review.
C.Implementing multi-factor authentication.
D.Deploying single sign-on (SSO).
AnswerB

Understanding current access is the foundational step.

Why this answer

Performing a user access review is the first step because it establishes a baseline of current access rights, identifies segregation of duties conflicts, and uncovers orphaned accounts or excessive privileges. Without this foundational assessment, subsequent IAM controls like SSO or MFA would be deployed on an insecure or non-compliant access framework, violating the principle of 'least privilege' and potentially failing audit requirements.

Exam trap

The trap here is that candidates often confuse 'first step' with 'most visible security control' and select MFA or SSO, forgetting that IAM must begin with a discovery and cleanup phase to ensure the foundation is secure before adding layers.

How to eliminate wrong answers

Option A is wrong because selecting an IAM vendor before understanding current access states and requirements leads to technology-driven decisions that may not align with organizational policy or regulatory needs. Option C is wrong because implementing multi-factor authentication (MFA) is a tactical control that should follow a baseline access review to ensure MFA is applied to the correct accounts and roles, not as a starting point. Option D is wrong because deploying single sign-on (SSO) without first reviewing and cleaning up existing user access rights can propagate excessive privileges across all connected systems, increasing risk rather than reducing it.

206
MCQmedium

Scenario: A healthcare organization is implementing a new electronic health records (EHR) system. The project has been delayed due to scope creep and resource constraints. The project sponsor is pressuring the project manager to accelerate the timeline by skipping user acceptance testing (UAT) and going live immediately. The organization has a governance policy that requires all IT projects to complete UAT before deployment. The project manager is concerned about quality and patient safety. Which of the following is the BEST course of action?

A.Compromise by conducting a limited UAT on only critical functionalities.
B.Resign from the project due to ethical concerns.
C.Accept the sponsor's request and skip UAT to meet the deadline.
D.Adhere to the governance policy and escalate the risk to the steering committee for a decision.
AnswerD

Follows policy and involves proper governance body.

Why this answer

Option D is correct because the governance policy mandates UAT before deployment, and skipping it could compromise patient safety and data integrity in the EHR system. By escalating the risk to the steering committee, the project manager ensures that the decision is made at the appropriate governance level, balancing project pressures with compliance and quality. This approach aligns with the CISA domain of Governance and Management of IT, where adherence to policies and risk escalation are key controls.

Exam trap

The trap here is that candidates may choose a compromise (Option A) thinking it balances speed and quality, but it still violates the governance policy and fails to address the root cause of scope creep and resource constraints through proper escalation.

How to eliminate wrong answers

Option A is wrong because conducting a limited UAT on only critical functionalities still violates the governance policy and may miss integration or workflow defects that affect patient safety across non-critical modules. Option B is wrong because resigning is an extreme measure that abdicates professional responsibility; the project manager should first use escalation channels and governance processes to address the conflict. Option C is wrong because skipping UAT entirely disregards the governance policy and introduces unacceptable risks to patient safety and regulatory compliance, which could lead to severe consequences for the organization.

207
MCQhard

An IT department uses a balanced scorecard (BSC) to measure performance. The financial perspective shows that IT costs are within budget, but customer satisfaction scores are declining. The learning and growth perspective indicates low employee engagement. Which action should the IT governance committee prioritize?

A.Reduce IT costs further to reallocate savings to customer service.
B.Invest in training and development programs for IT staff.
C.Increase the IT budget to hire more staff.
D.Outsource customer-facing IT support to a third party.
AnswerB

Training improves skills and engagement, leading to better customer satisfaction.

Why this answer

Option D is correct because investing in training improves employee engagement (learning & growth) which likely leads to better service and customer satisfaction. Option A is wrong because reducing budget may worsen customer satisfaction. Option B is wrong because cost reduction does not address root cause.

Option C is wrong because engaging external consultants is a temporary fix.

208
MCQhard

An organization's IT strategy is developed by the IT department without input from business stakeholders. Which of the following is the MOST significant risk?

A.Technology may become obsolete quickly.
B.IT projects may exceed budget.
C.IT staff may lack required skills.
D.IT strategy may not support business objectives.
AnswerD

Lack of business input leads to misalignment, the most significant risk.

Why this answer

Option D is correct because without business input, the strategy may not support business objectives, leading to misalignment. Option A is a possible outcome. Options B and C are less directly related.

209
MCQeasy

A medium-sized manufacturing company has a decentralized IT structure where each business unit manages its own IT budget and projects. The CEO is concerned that IT investments are not aligned with corporate strategy and that there is duplication of effort. The IT department lacks a formal project portfolio management process. The company has experienced several project failures due to poor prioritization. The CEO has asked the newly hired IT auditor to recommend an initial step to improve IT governance. The auditor should recommend:

A.Establishing an IT steering committee with representatives from business units and IT
B.Implementing a project portfolio management software tool immediately to track all projects
C.Conducting a security risk assessment of all IT systems
D.Outsourcing IT management to a third-party provider
AnswerA

A steering committee provides strategic direction, prioritization, and governance over IT investments.

Why this answer

Option B is correct because establishing an IT steering committee is a foundational step to provide oversight, prioritize projects, and align IT with business strategy. Option A is premature; a process should be defined with governance approval. Option C addresses security but not overall governance.

Option D is too drastic and does not solve the alignment issue.

210
MCQeasy

A company is migrating from a legacy system to a cloud-based ERP. Which of the following is the MOST important control to ensure data integrity during data conversion?

A.Automated backup
B.User acceptance testing
C.Parallel running
D.Reconciliation of control totals
AnswerD

Control totals provide a simple but effective way to verify that data quantities and key figures match between source and target systems.

Why this answer

Reconciliation of control totals is the most important control because it directly verifies that the sum of key fields (e.g., total account balances, record counts) in the source system matches the target cloud-based ERP after conversion. This ensures no data is lost, duplicated, or corrupted during the extraction, transformation, and loading (ETL) process, which is critical for maintaining data integrity in a migration from a legacy system.

Exam trap

The trap here is that candidates often confuse 'parallel running' (a system validation technique) with a data integrity control, but parallel running validates operational consistency over time, not the precise completeness and accuracy of the converted data set itself.

How to eliminate wrong answers

Option A is wrong because automated backup protects against data loss due to failures but does not validate the accuracy or completeness of converted data during migration. Option B is wrong because user acceptance testing (UAT) focuses on verifying that the new system meets functional requirements and business processes, not on detecting data integrity issues like missing or misaligned records in the converted dataset. Option C is wrong because parallel running compares outputs of the old and new systems over time to validate operational consistency, but it does not provide a precise, field-level check of data conversion completeness and accuracy like control totals do.

211
MCQeasy

In an Agile software development project, who is primarily responsible for prioritizing the product backlog?

A.Scrum Master
B.Development Team
C.Project Manager
D.Product Owner
AnswerD

The Product Owner is responsible for prioritizing the product backlog.

Why this answer

Option D is correct because the Product Owner owns the backlog and prioritizes items based on business value. Option A is wrong because Scrum Master facilitates but does not prioritize. Option B is wrong because the team estimates effort but does not set priority.

Option C is wrong because Agile projects typically do not have a traditional project manager.

212
MCQhard

During an audit, the IS auditor finds that the business continuity plan (BCP) was last updated two years ago and does not include new cloud-based applications. The organization has not conducted a BCP test in 18 months. What should the auditor recommend FIRST?

A.Obtain management approval for BCP updates
B.Perform a risk assessment to prioritize changes
C.Immediately schedule a full-scale test
D.Update the BCP to include cloud applications
AnswerB

A risk assessment identifies the most critical gaps, enabling efficient allocation of resources.

Why this answer

Option B is correct because a risk assessment is needed to prioritize which updates are critical. Option A is premature without understanding current risks; C is part of the update process but should follow risk assessment; D is later in the process.

213
MCQhard

An organization has implemented a new IT service management (ITSM) tool. The IT manager wants to measure the effectiveness of incident management. Which metric is MOST appropriate?

A.Mean time to resolve (MTTR) incidents
B.Percentage of incidents resolved on first call
C.Number of incidents reported per month
D.Percentage of system uptime
AnswerA

MTTR directly measures how quickly incidents are resolved.

Why this answer

Mean time to resolve (MTTR) is the most appropriate metric for measuring the effectiveness of incident management because it directly reflects how quickly the IT team can restore normal service operation after an incident. In ITIL-based ITSM tools, MTTR tracks the elapsed time from incident logging to resolution, providing a clear indicator of process efficiency and team responsiveness.

Exam trap

The trap here is that candidates often confuse incident management metrics with service desk or availability metrics, picking 'percentage of incidents resolved on first call' because it sounds like a measure of effectiveness, but it actually measures first-contact resolution efficiency, not the end-to-end incident management process.

How to eliminate wrong answers

Option B is wrong because the percentage of incidents resolved on first call measures first-level support efficiency, not the overall effectiveness of the incident management process, which includes escalation and resolution workflows. Option C is wrong because the number of incidents reported per month is a volume metric that indicates incident frequency, not the quality or speed of resolution. Option D is wrong because system uptime is a metric for availability management, not incident management; it measures service reliability rather than how incidents are handled.

214
MCQeasy

An organization is implementing a new IT governance framework. Which of the following is the PRIMARY benefit of using a framework like COBIT?

A.Reducing IT operational costs.
B.Aligning IT strategy with business goals.
C.Eliminating all IT-related risks.
D.Ensuring compliance with all regulatory requirements.
AnswerB

COBIT and similar frameworks focus on creating value by aligning IT with business objectives.

Why this answer

COBIT is designed to bridge the gap between business objectives and IT operations by providing a framework that maps IT processes to business goals. The primary benefit is ensuring that IT strategy directly supports and enables business strategy, rather than focusing on cost reduction or risk elimination.

Exam trap

The trap here is that candidates often confuse the primary benefit of a governance framework (strategic alignment) with secondary benefits like cost reduction or compliance, leading them to pick a plausible but incorrect answer that addresses a tactical outcome rather than the core strategic purpose.

How to eliminate wrong answers

Option A is wrong because reducing IT operational costs is a possible outcome of good governance but not the primary purpose of COBIT; cost reduction is more directly addressed by frameworks like ITIL or specific cost-optimization practices. Option C is wrong because no framework can eliminate all IT-related risks; risk management aims to reduce risk to an acceptable level, not achieve zero risk. Option D is wrong because ensuring compliance with all regulatory requirements is an objective of governance but not the primary benefit of COBIT; compliance is one component of a broader alignment goal, and no framework can guarantee compliance with every regulation.

215
MCQhard

During a post-implementation review of a new HR system, the auditor finds that the system's disaster recovery plan (DRP) was not tested before go-live. Which of the following is the BEST recommendation?

A.Accept the risk because the system is new
B.Implement a backup procedure for the system
C.Conduct a DRP test immediately and document results
D.Schedule a DRP test within the next six months
AnswerC

Addresses the gap promptly.

Why this answer

The DRP should be tested as part of the implementation. Option B is a temporary fix; Option C is not proactive; Option D is not sufficient.

216
Multi-Selectmedium

Which TWO of the following are key controls in the system development life cycle?

Select 2 answers
A.Post-implementation review
B.Use of agile methodology
C.Segregation of duties between development and operations
D.Formal approval of business requirements
E.Automated deployment tools
AnswersA, C

Ensures system meets objectives and provides feedback.

Why this answer

Options A and E are correct. Segregation of duties between development and operations is a key control to prevent unauthorized changes. A post-implementation review ensures the system meets objectives and provides lessons learned.

Agile methodology (B) is a framework, not a control. Automated deployment (D) is a practice, not a control. Formal approval of business requirements (C) is a control, but in this question we need exactly two – A and E are broader key controls.

217
Multi-Selecthard

A company is updating its business continuity plan (BCP). Which THREE of the following should be included as key components?

Select 3 answers
A.List of critical staff and contact information
B.Detailed network topology diagrams
C.Vendor contracts for equipment replacement
D.Procedures for activating the plan
E.Results of the latest risk assessment
AnswersA, D, E

Correct: Essential for communication and activation.

Why this answer

A BCP must define who is responsible, how to activate the plan, and the risks it addresses. Network diagrams and vendor contracts are supporting documents but not key components of the plan itself.

218
MCQhard

An organization is developing a custom application. The project manager reports that the development team has implemented 80% of the features but only 50% of the budget is used. What is the MOST significant risk from an IS audit perspective?

A.The project may be completed ahead of schedule.
B.The application may not meet user requirements.
C.The remaining budget may be insufficient for testing and deployment.
D.The project may exceed the total budget due to scope growth.
AnswerD

The mismatch indicates potential cost overrun if remaining features require more budget.

Why this answer

Option D is correct because the project has consumed only 50% of the budget while delivering 80% of the features, indicating a high probability of scope growth or feature creep. From an IS audit perspective, this imbalance suggests that additional features may be added without corresponding budget increases, leading to total budget overrun. The risk is that the remaining 20% of features will require more than the remaining 50% of the budget, especially if testing and deployment costs are underestimated.

Exam trap

The trap here is that candidates focus on the immediate budget concern (Option C) rather than recognizing that the 80% features with 50% budget indicates scope growth is the root cause of potential budget overrun, which is the most significant audit risk.

How to eliminate wrong answers

Option A is wrong because completing ahead of schedule is not a risk from an IS audit perspective; it is a positive outcome, and the data does not support it since 80% features with 50% budget suggests slower-than-planned spending, not faster completion. Option B is wrong because the application may still meet user requirements; the risk is not about unmet requirements but about budget and scope control, and there is no evidence of requirement gaps. Option C is wrong because while insufficient budget for testing and deployment is a concern, the most significant risk is scope growth leading to total budget overrun, as the 80% features already consumed only 50% budget implies the remaining features may be underfunded, but the primary audit risk is uncontrolled scope expansion.

219
MCQmedium

A bank is converting data from its legacy core banking system to a new platform. Which control is MOST critical to ensure the completeness and accuracy of data conversion?

A.Parallel running of both systems
B.Reconciliation of converted data totals to source system totals
C.Data validation rules programmed in the conversion tool
D.User acceptance testing of the new system
AnswerB

Reconciliation directly verifies completeness and accuracy.

Why this answer

Reconciliation of converted data totals to source system totals is the most critical control because it directly verifies that every record from the legacy system has been accurately migrated without loss or duplication. This control compares aggregate values (e.g., account balances, transaction counts) between the source and target databases, providing a definitive check for completeness and accuracy that other controls cannot guarantee.

Exam trap

The trap here is that candidates confuse 'data validation rules' (which ensure individual field correctness) with 'reconciliation' (which ensures aggregate completeness and accuracy), leading them to choose Option C even though validation cannot detect missing records or totals.

How to eliminate wrong answers

Option A is wrong because parallel running tests business processes and system functionality, but it does not provide a systematic, record-level verification of data completeness and accuracy; discrepancies in data may be masked by compensating process flows. Option C is wrong because data validation rules in the conversion tool only check format and business rule compliance during transformation, but they cannot detect missing records or totals that were never extracted from the source. Option D is wrong because user acceptance testing focuses on whether the new system meets functional requirements, not on verifying that every data element from the legacy system has been accurately transferred.

220
Multi-Selecthard

Which THREE of the following are typical objectives of an IT governance framework for system acquisition?

Select 3 answers
A.Risk management
B.Strategic alignment
C.Value delivery
D.Resource management
E.Cost reduction
AnswersA, B, C

Manages risks associated with IT.

Why this answer

Risk management (A) is a core objective of an IT governance framework for system acquisition because it ensures that risks related to system procurement, such as vendor lock-in, security vulnerabilities, and compliance gaps, are identified, assessed, and mitigated before deployment. Strategic alignment (B) ensures that the acquired system supports the organization's business goals and IT strategy, preventing investment in technology that does not deliver business value. Value delivery (C) focuses on optimizing costs and benefits throughout the system lifecycle, ensuring that the acquisition provides measurable returns and meets performance targets.

Exam trap

The trap here is that candidates often confuse the broader IT governance objectives (which include resource management and cost reduction) with the specific objectives for system acquisition, leading them to select D or E instead of recognizing that the question explicitly asks for typical objectives of the acquisition phase.

221
MCQmedium

An IS auditor is reviewing a system development project to assess whether it is on schedule. Which of the following would provide the BEST evidence of project progress against the planned timeline?

A.Minutes from status review meetings
B.Approved requirements document
C.Successful unit test results
D.Updated project schedule with actual completion dates for milestones
AnswerD

The project schedule directly compares planned vs actual milestones.

Why this answer

The updated project schedule with actual completion dates for milestones (Option D) provides direct, objective evidence of progress against the planned timeline. It shows the baseline plan, the actual dates work was completed, and the variance, allowing the IS auditor to quantitatively assess schedule adherence. This is the primary artifact for schedule tracking in system development projects.

Exam trap

The trap here is that candidates often confuse evidence of technical progress (like passing unit tests) with evidence of schedule progress, failing to recognize that technical success does not equate to on-time delivery.

How to eliminate wrong answers

Option A is wrong because minutes from status review meetings are subjective summaries of discussions and opinions, not objective evidence of actual completion dates or schedule variance. Option B is wrong because an approved requirements document defines what the system should do, not when tasks were completed or how the project is tracking against the timeline. Option C is wrong because successful unit test results verify that individual code modules function correctly, but they do not provide any information about whether those tests were completed on schedule or how the project is performing against the planned timeline.

222
MCQhard

A government agency has an IT governance framework that includes an IT strategy committee, an IT steering committee, and a project management office. Despite this, there is a lack of transparency regarding IT spending and resource allocation. The agency's annual audit found that several IT initiatives were not approved by the steering committee and were funded out of operational budgets. The CFO is frustrated because IT costs are unpredictable. The agency's chief information officer (CIO) reports to the CFO but the IT steering committee is chaired by the CIO. The auditor's best recommendation to improve governance is to:

A.Establish a chargeback system to allocate IT costs to business units
B.Require all IT projects to submit a business case to the steering committee for approval
C.Change the steering committee chair to a senior business executive independent of IT
D.Implement a policy that prohibits funding IT projects from operational budgets without steering committee approval
AnswerC

Independence strengthens oversight and reduces the ability of the CIO to bypass governance.

Why this answer

Option B is correct because having an independent steering committee chair (e.g., a business executive) ensures checks and balances and prevents the CIO from bypassing governance. Option A addresses approval but does not fix the conflict of interest. Option C is a policy change that can be ignored without structural change.

Option D focuses on cost allocation but not the root cause of governance bypass.

223
MCQhard

Refer to the exhibit. During a security audit, an IS analyst identifies that a critical business application hosted on 192.168.1.100:443 is unreachable from the 10.0.1.0/24 subnet. Which of the following is the MOST likely cause?

A.The first rule blocks all traffic from 10.0.1.0/24
B.The second rule blocks HTTPS traffic from any source to the host
C.The third rule permits all traffic from the 10.0.0.0/16 subnet
D.The firewall is misconfigured for TCP traffic
AnswerA

Correct: The deny rule for the subnet overrides any permit.

Why this answer

The first rule denies all IP traffic from 10.0.1.0/24 to any destination; this rule takes precedence. The second rule blocks only HTTPS from any source, but the first rule already blocks all traffic from that subnet. The permit rule is for a different subnet.

224
Multi-Selectmedium

Which TWO of the following are effective controls to prevent unauthorized access to sensitive data in a database? (Choose two.)

Select 2 answers
A.Database activity monitoring (DAM)
B.Strong password policy
C.Database encryption at rest
D.Regular patch management
E.Network segmentation
AnswersA, C

DAM detects and blocks unauthorized access.

Why this answer

Options B and D are correct. Encryption at rest protects data if storage is accessed. Database activity monitoring (DAM) detects and can block unauthorized queries.

Option A is wrong because network segmentation alone does not prevent access if credentials are compromised. Option C is wrong because strong passwords are good but not sufficient. Option E is wrong because regular patching addresses vulnerabilities but not access control.

225
MCQhard

You are the IT governance lead at a multinational corporation with a complex IT environment spanning multiple business units. The company has recently experienced a series of minor security incidents where unauthorized access was gained through unused user accounts that were not disabled after employees left the organization. Additionally, there have been delays in provisioning access for new hires, leading to productivity losses. The IT department currently uses a manual process for access management, with each business unit maintaining its own user lists. The company has a policy that requires access reviews every quarter, but these are often missed or performed superficially. The CIO has asked you to recommend a solution that addresses these issues while ensuring compliance with regulations such as GDPR and SOX. Which of the following is the BEST course of action?

A.Require each business unit to submit monthly reports of active users to IT, which will then manually disable accounts not on the list.
B.Develop a new policy that mandates quarterly access reviews and disciplinary action for non-compliance.
C.Increase the frequency of access reviews to monthly and assign a dedicated team to perform them.
D.Implement an identity governance and administration (IGA) tool that automates user provisioning and de-provisioning, integrates with HR systems, and enforces access reviews.
AnswerD

Automation addresses the root causes: timely de-provisioning, consistent reviews, and compliance.

Why this answer

Option D is correct because implementing an Identity Governance and Administration (IGA) tool directly addresses the root causes: manual, decentralized access management and lack of automated de-provisioning. IGA integrates with HR systems (e.g., Workday, SAP SuccessFactors) to trigger automatic account creation for new hires and immediate deactivation upon termination, eliminating orphaned accounts. It also enforces scheduled, auditable access reviews with certification workflows, ensuring compliance with GDPR (right to erasure, data minimization) and SOX (segregation of duties, access controls).

This automated approach resolves both the security incidents from unused accounts and the productivity losses from delayed provisioning.

Exam trap

The trap here is that candidates often choose options that increase manual oversight (like monthly reports or dedicated teams) because they seem practical, but the CISA exam emphasizes automated, integrated solutions (IGA) as the only sustainable way to achieve compliance and security at scale in complex, multi-unit environments.

How to eliminate wrong answers

Option A is wrong because it perpetuates the manual, error-prone process by relying on business units to submit reports and IT to manually disable accounts, which does not scale, introduces latency, and fails to prevent orphaned accounts between reporting cycles. Option B is wrong because developing a new policy without automated enforcement tools does not address the root cause of missed or superficial reviews; it merely adds another layer of documentation that is likely to be ignored without technical controls. Option C is wrong because increasing review frequency and assigning a dedicated team still relies on manual processes, which are costly, prone to human error, and cannot guarantee timely de-provisioning or integration with HR lifecycle events.

Page 2

Page 3 of 7

Page 4

All pages