CISA · topic practice

Information Systems Operations and Business Resilience practice questions

Practise Certified Information Systems Auditor CISA Information Systems Operations and Business Resilience practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Information Systems Operations and Business Resilience

What the exam tests

What to know about Information Systems Operations and Business Resilience

Information Systems Operations and Business Resilience questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Information Systems Operations and Business Resilience exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Information Systems Operations and Business Resilience questions

20 questions · select your answer, then reveal the explanation

An organization is implementing a new incident management process aligned with ITIL. The IT team discovers a critical system is down, affecting all users. According to ITIL, what severity level should be assigned to this incident?

During a change advisory board (CAB) meeting, a proposed change to the database server is discussed. The change involves implementing a security patch that requires a reboot. The change is categorized as 'normal' and has been risk-assessed as low impact. What is the most likely role of the CAB in this scenario?

An organization's backup strategy includes daily incremental backups and weekly full backups. During a disaster recovery test, the restoration of a critical server fails because a required incremental backup is corrupt. Which control should the organization implement to verify the integrity of backups?

In business continuity planning, a company identifies a critical business process with a maximum tolerable downtime (MTD) of 4 hours. What is the primary purpose of this metric?

An IT auditor is reviewing the change management process for a financial institution. The auditor finds that emergency changes are frequently approved by the change manager without CAB review. Which risk is most associated with this practice?

A company outsources its IT help desk to a third-party vendor. The service level agreement (SLA) specifies that all P1 incidents must be resolved within 2 hours. During an audit, the auditor finds that the vendor’s average resolution time for P1 incidents is 3 hours. What is the most appropriate recommendation?

During a business impact analysis (BIA), a department manager states that their process can be disrupted for up to 8 hours, but data loss cannot exceed 15 minutes. Which two metrics are defined by these statements?

An organization uses automated job scheduling for nightly batch processing. One job fails due to a missing dependency file. What is the most effective control to prevent recurrence?

An organization is implementing a disaster recovery plan. The DR team wants to test the plan with minimal risk and without impacting production operations. Which type of test is most appropriate?

A company uses a RAID 5 array for its file server. One disk fails, and the system continues to operate. However, during the rebuild process, a second disk fails. What is the likely consequence?

An auditor is reviewing IT asset management processes. The auditor finds that several servers running an older operating system are still in production, even though the vendor has ended support. What is the primary risk associated with this finding?

A company's availability monitoring shows that a critical application has an average MTBF of 720 hours and an average MTTR of 4 hours. What is the availability percentage?

An organization is developing a business continuity strategy for its key customer-facing application. The BIA determined an RTO of 2 hours and an RPO of 30 minutes. Which TWO strategies are most appropriate to meet these objectives?

During a vendor audit, an IS auditor discovers that a cloud service provider uses subcontractors to manage data storage. The contract does not mention subcontracting. Which THREE risks should the auditor highlight to management?

An organization is implementing a new release management process. Which TWO activities are essential components of a successful release?

An organization has defined an SLA that requires critical incidents to be resolved within 4 hours. A P1 incident is reported at 10:00 AM. At what time must the incident be resolved to meet the SLA?

During a recent audit, the IT auditor found that the problem management process does not include a known error database (KEDB). Which of the following is the MOST significant risk associated with this finding?

An organization uses a standard change model for low-risk, pre-approved changes. Which of the following is an example of a standard change?

An IS auditor is reviewing the change management process and notices that several emergency changes were implemented without post-implementation review. What is the PRIMARY concern?

An organization's backup strategy includes full backups every Sunday and incremental backups on other days. On Wednesday, a failure occurs. Which backups are needed to restore the data?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Information Systems Operations and Business Resilience sessions

Start a Information Systems Operations and Business Resilience only practice session

Every question in these sessions is drawn from the Information Systems Operations and Business Resilience domain — nothing else.

Related practice questions

Related CISA topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISA exam test about Information Systems Operations and Business Resilience?
Information Systems Operations and Business Resilience questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Information Systems Operations and Business Resilience questions in a focused session?
Yes — the session launcher on this page draws every question from the Information Systems Operations and Business Resilience domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISA topics?
Use the topic links above to move to related areas, or go back to the CISA question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISA exam covers. They are not copied from any real exam or dump site.
Certified Information Systems Auditor CISA Information Systems Operations and Business Resilience Practice Questions with Explanations | Courseiva