CISA · topic practice

Scenario practice questions

Practise Certified Information Systems Auditor CISA Scenario practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
11 questionsDomain: Scenario

What the exam tests

What to know about Scenario

Scenario questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Scenario exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Scenario questions

11 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full Scenario explanation →

An IS auditor is reviewing a change management process. A developer made an emergency change directly to production without following the standard change approval process. The change was later documented as a normal change. Which control weakness is MOST indicated by this scenario?

Question 2hardmultiple choice
Read the full Scenario explanation →

A company's endpoint protection solution alerts on a file that is digitally signed by a trusted software vendor but exhibits malicious behavior on execution. What type of threat does this scenario most likely depict?

Question 3mediummultiple choice
Read the full Scenario explanation →

An organization is implementing a new identity management system. Which testing approach is MOST effective for verifying access controls?

Question 4easymultiple choice
Read the full Scenario explanation →

During a security audit, it was found that users in the finance department have unnecessary access to HR payroll data. Which access control principle has been violated?

Question 5easymulti select
Read the full Scenario explanation →

Which of the following are effective controls to protect sensitive data in use? (Choose TWO.)

Question 6mediummultiple choice
Read the full Scenario explanation →

An organization is implementing a data classification policy and needs to assign ownership for sensitive data. Which of the following is the most appropriate role to assign as the data owner?

Question 7hardmultiple choice
Read the full Scenario explanation →

An IS auditor is evaluating the effectiveness of an organization's information security awareness program. Which of the following is the BEST indicator of program effectiveness?

Question 8mediummultiple choice
Read the full Scenario explanation →

You are an information security manager for a global financial services company. The organization maintains a hybrid infrastructure with critical customer data stored on an on-premises Oracle database server (DB-SRV-01) and in an AWS S3 bucket (customer-data-prod). At 10:00 AM, the security operations center (SOC) alerts you to an anomalous outbound data transfer from DB-SRV-01 to an unknown IP address in a high-risk country. The transfer started at 9:45 AM and involves 500 MB of data, likely including personally identifiable information (PII). The SOC has already quarantined the server's network egress by blocking all outbound traffic from DB-SRV-01, but the server remains connected to the internal production network. Meanwhile, a separate analysis indicates that the S3 bucket has been accessed via an IAM key that was stolen from a compromised developer workstation three days ago. The key has not been rotated. The incident response team is preparing to act. The primary objective is to protect information assets and minimize data exposure. Given this scenario, which of the following actions should the team take FIRST?

Question 9easymultiple choice
Read the full Scenario explanation →

A small manufacturing company uses a network-attached storage (NAS) device to store design files, financial records, and employee data. The NAS is backed up weekly to an external hard drive that is stored in the same office. The company has no encryption on the NAS or the backup drive. One weekend, the office is burglarized, and both the NAS and the backup drive are stolen. The company had no remote backup. Which of the following would have best protected the data in this scenario?

Question 10mediummultiple choice
Read the full NAT/PAT explanation →

Scenario: A healthcare organization is implementing a new electronic health records (EHR) system. The project has been delayed due to scope creep and resource constraints. The project sponsor is pressuring the project manager to accelerate the timeline by skipping user acceptance testing (UAT) and going live immediately. The organization has a governance policy that requires all IT projects to complete UAT before deployment. The project manager is concerned about quality and patient safety. Which of the following is the BEST course of action?

Question 11hardmultiple choice
Read the full NAT/PAT explanation →

Scenario: A mid-sized manufacturing company has recently experienced a significant IT outage that halted production for 8 hours. The root cause was a failed firmware update on a core switch that was performed outside the change management process by a senior network engineer who claimed the update was urgent to patch a critical vulnerability. The company has a well-documented change management policy that requires all changes to be reviewed by the change advisory board (CAB) before implementation, except for emergency changes which require post-implementation review within 48 hours. The engineer did not follow the emergency change process; he implemented the update directly. The IT director wants to prevent such incidents in the future. Which of the following is the BEST action?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Scenario sessions

Start a Scenario only practice session

Every question in these sessions is drawn from the Scenario domain — nothing else.

Related practice questions

Related CISA topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISA exam test about Scenario?
Scenario questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Scenario questions in a focused session?
Yes — the session launcher on this page draws every question from the Scenario domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISA topics?
Use the topic links above to move to related areas, or go back to the CISA question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISA exam covers. They are not copied from any real exam or dump site.