Back to Certified Information Systems Auditor CISA questions

Scenario-based practice

Hard Difficulty Questions

Practise Certified Information Systems Auditor CISA practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
CISA
exam code
ISACA
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CISA topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

Based on the exhibit, which control is most likely missing to prevent this type of event?

Exhibit

Refer to the exhibit.

syslog output:
Mar 15 10:23:45 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Mar 15 10:23:46 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Mar 15 10:23:47 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Mar 15 10:23:48 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Mar 15 10:23:49 server01 sshd[1234]: Failed password for root from 10.0.0.99 port 22 ssh2
Question 2hardmultiple choice
Full question →

During an IT audit, the auditor discovers that the IT department has not conducted a business impact analysis (BIA) for three years. The organization's disaster recovery plan (DRP) is based on the previous BIA. The IT manager argues that the DRP is still valid because no major changes have occurred. What should the auditor recommend?

Question 3hardmultiple choice
Full question →

Based on the exhibit, the IS auditor is reviewing access to the payroll folder. Which of the following is the MOST significant finding?

Exhibit

Refer to the exhibit.
```
Access Control List for /payroll:
User: jdoe (Read, Write)
User: asmith (Read)
Group: HR_Managers (Full Control)
Group: Payroll_Clerks (Read, Write)
Group: Internal_Audit (Read)
Effective permissions for user jdoe: Read, Write
```
Question 4hardmulti select
Full question →

Which THREE of the following are key elements that should be included in a risk assessment report for information systems?

Question 5hardmultiple choice
Full question →

During an incident response exercise, the IT team discovers that the failover to the disaster recovery (DR) site failed because the DR site's storage area network (SAN) was not zoned correctly for the replicated data. Which of the following controls would BEST prevent this issue?

Question 6hardmultiple choice
Full question →

An IT auditor is reviewing the business continuity plan (BCP) for a financial services firm. The plan includes a hot site that is shared with another organization under a reciprocal agreement. Which of the following findings should be of MOST concern to the auditor?

Question 7hardmultiple choice
Full question →

During a post-implementation review of a new HR system, the auditor finds that the system's disaster recovery plan (DRP) was not tested before go-live. Which of the following is the BEST recommendation?

Question 8hardmultiple choice
Full question →

A company is implementing a privileged access management (PAM) system. Which of the following is the MOST important control to prevent lateral movement after a privileged account is compromised?

Question 9hardmulti select
Full question →

Which THREE of the following are key components of an effective information security awareness program? (Choose three.)

Question 10hardmultiple choice
Full question →

An organization is implementing a new ERP system. The project sponsor requests a change that will significantly increase project scope without additional budget. Which of the following is the BEST action for the project manager?

Question 11hardmulti select
Full question →

An IS auditor is reviewing the system development life cycle (SDLC) for a custom application. The project manager has decided to skip the design phase and proceed directly from requirements to coding. Which of the following risks are MOST likely to increase as a result? (Choose two.)

Question 12hardmulti select
Full question →

Based on the backup logs, the backup administrator notices that the incremental backup job failed due to insufficient storage. Which TWO actions should the administrator take to resolve the immediate issue and prevent recurrence?

Exhibit

Refer to the exhibit.

```
Backup Log for ArcServe UDP – 2024-05-21
========================================
Job Name: Full_Backup_Weekly
Start Time: 02:00
End Time: 04:30
Status: Completed with warnings
Details:
- Volume C: Backup successful (40.5 GB)
- Volume D: Backup successful (120.2 GB)
- Volume E: Backup failed (error code 0x80070020 – file in use)
- Volume F: Backup successful (25.0 GB)

Job Name: Incremental_Backup_Daily
Start Time: 12:00
End Time: 12:45
Status: Failed
Details:
- Volume C: Backup failed (error code 0x807800C5 – insufficient storage)
- Volume D: Backup failed (error code 0x807800C5 – insufficient storage)
- Volume E: Backup failed (error code 0x807800C5 – insufficient storage)
- Volume F: Backup failed (error code 0x807800C5 – insufficient storage)
```
Question 13hardmultiple choice
Full question →

Refer to the exhibit. A security analyst notices that users on the INSIDE network (10.1.1.0/24) can browse HTTPS websites but cannot resolve domain names. What is the most likely cause?

Exhibit

Refer to the exhibit.

Exhibit: Firewall rule excerpt (Cisco ASA)

access-list INSIDE extended permit tcp 10.1.1.0 255.255.255.0 any eq 443
access-list INSIDE extended permit udp 10.1.1.0 255.255.255.0 host 10.2.2.10 eq 53
access-list INSIDE extended deny ip any any

interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 10.1.1.1 255.255.255.0

interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 192.168.1.1 255.255.255.0

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.254 1
Question 14hardmulti select
Full question →

Which THREE of the following are common challenges when integrating a software package with existing legacy systems? (Select exactly three.)

Question 15hardmultiple choice
Full question →

The exhibit shows a log entry from a domain controller. The IS auditor is investigating account lockout issues. What is the MOST likely cause of this event?

Exhibit

Refer to the exhibit.
```
System Log Entry:
Timestamp: 2024-03-15 14:32:17
Event ID: 4625 (Logon Failure)
Account: svc_backup
Source: Backup Server
Failure Reason: Account locked out.
```
Question 16hardmultiple choice
Full question →

During a system development project, the project manager notices that the actual cost is significantly higher than the planned cost at the 50% completion point. The earned value (EV) is $500,000, the actual cost (AC) is $600,000, and the planned value (PV) is $550,000. Which of the following is the MOST appropriate action?

Question 17hardmulti select
Full question →

Which TWO are primary objectives of an identity and access management (IAM) program? (Select exactly 2.)

Question 18hardmultiple choice
Read the full NAT/PAT explanation →

A security architect is designing a data classification schema for a multinational corporation. Which combination of factors is MOST critical for determining the classification level of a data asset?

Question 19hardmultiple choice
Full question →

Based on the exhibit, what should the IS auditor MOST likely recommend?

Exhibit

Refer to the exhibit.
```
Change Management Log Extract:
CR-2024-001: Approved | Implemented 01/15 14:00
CR-2024-002: Approved | Implemented 01/20 09:30
CR-2024-003: Emergency (post-approved) | Implemented 01/25 22:15
CR-2024-004: Approved | Implemented 02/01 11:00
CR-2024-005: Emergency (post-approved) | Implemented 02/10 23:45
CR-2024-006: Approved | Implemented 02/15 10:00
CR-2024-007: Emergency (post-approved) | Implemented 02/20 21:30
```
Question 20hardmulti select
Full question →

Which THREE of the following are key metrics to include in a disaster recovery test report? (Select exactly 3.)

These CISA practice questions are part of Courseiva's free ISACA certification practice question bank. Courseiva provides original exam-style CISA questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.