Browse Exams Pricing

ExamsCISAQuestions

CISA Exam Questions

650 real CISA exam questions with expert-verified answers and explanations. Page 1 of 13.

Question #1Protection of Information Assets
When an intrusion into an organization's network is detected, which of the following should be done FIRST?
Incident ResponseIntrusion DetectionSecurity Incident ManagementCyber Incident Response
Question #2Information Systems Acquisition, Development and Implementation
The IS quality assurance (QA) group is responsible for:
Quality AssuranceProgram ChangesIT StandardsSDLC
Question #3Governance and Management of IT
Which of the following is the MOST important responsibility of user departments associated with program changes?
Change ManagementUser ResponsibilitiesIT GovernanceProgram Changes
Question #4Information Systems Operations and Business Resilience
What is the MAIN reason to use incremental backups?
BackupsIncremental BackupsData ProtectionBackup Strategy
Question #5Information Systems Acquisition, Development, and Implementation
Which of the following should an IS auditor be MOST concerned with during a post- implementation review?
Post-implementation reviewSystem maintenance planningIS auditor prioritiesIT lifecycle management
Question #6Information System Auditing Process
Which of the following is the PRIMARY basis on which audit objectives are established?
Audit objectivesAudit planningBusiness strategy alignmentIS audit principles
Question #7Information Systems Operations and Business Resilience
Which of the following metrics is the BEST indicator of the performance of a web application?
Web application performancePerformance metricsApplication monitoringResponse time
Question #8Protection of Information Assets
Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization?
DLP ImplementationData ClassificationData InventoryInformation Asset Protection
Question #9Protection of Information Assets
An organization wants to classify database tables according to its data classification scheme. From an IS auditor's perspective, the tables should be classified based on the:
Data ClassificationInformation SecurityDatabase SecurityIS Audit Controls
Question #10Protection of Information Assets
Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees. What is the MOST important...
Information classificationData protectionEmail securityData governance
Question #11Governance and Management of IT
Which of the following is the PRIMARY role of key performance indicators (KPIs) in supporting business process effectiveness?
Key Performance IndicatorsBusiness Process EffectivenessPerformance MeasurementProcess Monitoring
Question #12Governance and Management of IT
An IT governance body wants to determine whether IT service delivery is based on consistently effective processes. Which of the following is the BEST approach?
IT GovernanceProcess MaturityService Delivery EffectivenessMaturity Models
Question #13Information Systems Acquisition, Development, and Implementation
What is the BEST control to address SQL injection vulnerabilities?
SQL injectionInput validationApplication securitySecure coding
Question #14Governance and Management of IT
Following a merger, a review of an international organization determines the IT steering committee's decisions do not extend to regional offices as required in the consolidated IT...
IT GovernanceIT Steering CommitteeCommittee CharterOrganizational Authority
Question #15Protection of Information Assets
Which type of attack poses the GREATEST risk to an organization's most sensitive data?
Insider threatSensitive data protectionRisk assessmentCybersecurity threats
Question #16Protection of Information Assets
An algorithm in an email program analyzes traffic to quarantine emails identified as spam. The algorithm in the program is BEST characterized as which type of control?
Control typesPreventive controlsEmail securitySpam filtering
Question #17Protection of Information Assets
An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:
Data sanitizationData disposalInformation asset protectionLogical vs. physical deletion
Question #18Information System Auditing Process
What is the PRIMARY reason to adopt a risk-based IS audit strategy?
Risk-based auditAudit strategyResource prioritizationSignificant risk
Question #19Governance and Management of IT
Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer. An IS audito...
Control typesDirective controlsAcceptable Use Policy (AUP)IT Governance
Question #20Information Systems Operations and Business Resilience
As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (BIA)?
Business Impact Analysis (BIA)Critical Asset InventoryBusiness Continuity Planning (BCP)Information Resilience
Question #21Protection of Information Assets
The operations team of an organization has reported an IS security attack. Which of the following should be the FIRST step for the security incident response team?
Incident ResponseSecurity Incident ManagementDamage AssessmentIncident First Step
Question #22Protection of Information Assets
Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?
Data Breach NotificationRegulatory ComplianceIncident ResponseData Privacy
Question #23Protection of Information Assets
Which of the following information security requirements BEST enables the tracking of organizational data in a bring your own device (BYOD) environment?
BYODMobile Device Management (MDM)Data TrackingInformation Security Controls
Question #24Governance and Management of IT
Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's security controls for policy compliance?
Security PolicyPolicy ComplianceIT GovernanceAudit Concerns
Question #25Information System Auditing Process
Which of the following should be the PRIMARY basis for prioritizing follow-up audits?
Audit PrioritizationFollow-up AuditsResidual RiskRisk-based Auditing
Question #26Information Systems Acquisition, Development, and Implementation
Which of the following is MOST likely to be a project deliverable of an agile software development methodology?
Agile MethodologySoftware Development Life Cycle (SDLC)Project DeliverablesPrototyping
Question #27Information Systems Acquisition, Development and Implementation
Which of the following is MOST important for an IS auditor to assess during a post- implementation review of a newly modified IT application developed in-house?
Post-implementation reviewIT controlsApplication controlsIS audit objectives
Question #28Information Systems Operations and Business Resilience
Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?
Incident ManagementProcess DesignPrioritizationIS Audit Concerns
Question #29Information System Auditing Process
Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?
Exit MeetingAudit CommunicationAudit ReportingIS Audit Process
Question #30Governance and Management of IT
Which of the following findings should be of GREATEST concern to an IS auditor assessing the risk associated with end-user computing (EUC) in an organization?
End-User Computing (EUC)Risk ManagementIT GovernanceAccountability
Question #31Governance and Management of IT
Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?
PrivacyLegal and Regulatory ComplianceIT Project AssessmentRisk Management
Question #32Protection of Information Assets
Which of the following is the PRIMARY reason for using a digital signature?
Digital SignaturesAuthenticationNon-repudiationCryptography
Question #33Information Systems Operations and Business Resilience
Which of the following is the BEST indicator for measuring performance of the IT help desk function?
ITSMHelp Desk MetricsPerformance MeasurementIncident Management
Question #34Protection of Information Assets
Which of the following types of firewalls provide the GREATEST degree of control against hacker intrusion?
Firewall typesNetwork securityIntrusion preventionSecurity controls
Question #35Information System Auditing Process
Which of the following is MOST important when planning a network audit?
Network Audit PlanningAudit ScopingAsset IdentificationAudit Methodology
Question #36Information System Auditing Process
Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?
Segregation of DutiesInternal ControlsProcess FlowchartsAudit Techniques
Question #37Information Systems Operations and Business Resilience
Which of the following IT service management activities is MOST likely to help with identifying the root cause of repeated instances of network latency?
Problem ManagementIT Service ManagementRoot Cause Analysis
Question #38Governance and Management of IT
Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?
Risk AssessmentImpact AnalysisRisk MitigationManagement Decision Making
Question #39Protection of Information Assets
Which of the following is the BEST way to mitigate risk to an organization's network associated with devices permitted under a bring your own device (BYOD) policy?
BYODNetwork Access ControlRisk MitigationNetwork Security
Question #40Protection of Information Assets
When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?
Network MonitoringControl Design EvaluationAudit EvidenceNetwork Security
Question #41Protection of Information Assets
Which of the following is MOST important to include in forensic data collection and preservation procedures?
Forensic data collectionChain of custodyEvidence preservationLegal admissibility
Question #42Information Systems Acquisition, Development, and Implementation
Which of the following should be of GREATEST concern to an IS auditor reviewing project documentation for a client relationship management (CRM) system migration project?
System migrationBig bang implementationProject riskIS audit
Question #43Information System Auditing Process
Which of the following approaches would utilize data analytics to facilitate the testing of a new account creation process?
Data AnalyticsAudit TestingProcess TestingAudit Techniques
Question #44Information System Auditing Process
Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization's data loss prevention (DLP) controls?
DLP controlsOperational effectivenessIS auditing proceduresControl testing
Question #45Information Systems Operations and Business Resilience
Which of the following should be the FIRST step in the incident response process for a suspected breach?
Incident ResponseBreach IdentificationSecurity OperationsIncident Management
Question #46Governance and Management of IT
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?
Information security policyBusiness alignmentIT governancePolicy assessment
Question #47Information System Auditing Process
An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these har...
Asset destructionWorkflow analysisAuditor's roleProcess control gaps
Question #48Information System Auditing Process
An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade. Upon returning to the audit department, th...
Audit independenceConflict of interestAudit competenceOutsourcing audit
Question #49Governance and Management of IT
An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?
Outsourcing contractAccess controlIS auditVendor management
Question #50Information System Auditing Process
An IS auditor discovers that due to resource constraints, a database administrator (DBA) is responsible for developing and executing changes into the production environment. Which...
Segregation of DutiesCompensating ControlsAudit ProcedureRisk Assessment

Page 1 of 13Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.