Browse Exams Pricing

ExamsCISAQuestions

CISA Exam Questions

650 real CISA exam questions with expert-verified answers and explanations. Page 5 of 13.

Question #201Protection of Information Assets
Which of the following findings from an industrial control system (ICS) audit should an IS auditor recommend be addresses FIRST?
ICS SecurityNetwork SegmentationVulnerability PrioritizationRisk Management
Question #202Protection of Information Assets
Which of the following BEST enables an organization's information security team to correlate and aggregate log files from different sources?
SIEMLog ManagementSecurity MonitoringEvent Correlation
Question #203Protection of Information Assets
Which of the following is the BEST compensating control to apply when hardware and software associated with a legacy system cannot be patched or updated to protect against known vu...
Compensating ControlsLegacy SystemsNetwork SecurityFirewalls
Question #204Information Systems Operations and Business Resilience
If concurrent update transactions to an account are not processed properly, which of the following will be affected?
Data IntegrityTransaction ProcessingConcurrency ControlDatabase Controls
Question #205Information Systems Acquisition, Development, and Implementation
An IS auditor is reviewing a machine learning model that predicts the likelihood that a user will watch a certain movie. Which of the following would be of GREATEST concern to the...
Machine Learning AuditData QualityModel ReliabilityAudit Risk
Question #206Information Systems Operations and Business Resilience
Which of the following concerns is BEST addressed by defining job dependencies when creating job schedules?
Job schedulingJob dependenciesIT operationsBatch processing integrity
Question #207Governance and Management of IT
When reviewing an organization's finalized risk assessment process, what would be the MAIN reason for an IS auditor to compare acceptable risk level with residual risk?
Risk ManagementResidual RiskAcceptable RiskIS Audit Review
Question #208Information Systems Acquisition, Development, and Implementation
When an organization conducts business process improvements, the IS auditor should be MOST concerned with the:
IS auditor responsibilitiesBusiness process improvementControls assessmentChange management
Question #209Information Systems Acquisition, Development, and Implementation
During which phase of the software development life cycle should an IS auditor be consulted to recommend security controls?
SDLCSecurity ControlsIS Auditor RoleRequirements Definition
Question #210Governance and Management of IT
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's customer relationship management (CRM) capability?
Risk ManagementSaaS SecurityData ProtectionShadow IT
Question #211Protection of Information Assets
A cloud access security broker (CASB) administers the user access of a Software as a Service (SaaS) on behalf of the customer organization. When conducting an audit of the service,...
CASBIdentity and Access ManagementCloud SecurityAuditing Controls
Question #212Governance and Management of IT
Which of the following is MOST critical to the success of an information security program?
Information Security ProgramManagement CommitmentGovernanceSuccess Factors
Question #213Information Systems Acquisition, Development, and Implementation
Which of the following is the MOST appropriate team to verify that system changes deployed through a continuous integration/continuous development (CI/CD) pipeline are tested and i...
CI/CDQuality assuranceChange managementSDLC roles
Question #214Information Systems Acquisition, Development, and Implementation
An organization has purchased a new cloud-based application from a vendor. Which of the following should be the FIRST consideration when implementing the system?
Cloud SecuritySystem ImplementationDefault AccountsSecurity Best Practices
Question #215Protection of Information Assets
Which of the following is the PRIMARY purpose of a data loss prevention (DLP) tool?
Data Loss PreventionInformation ProtectionData SecurityConfidentiality
Question #216Information Systems Operations and Business Resilience
Which of the following operational log management considerations is MOST important for an organization undergoing a digital transformation?
Log ManagementDigital TransformationOperational SecurityCentralized Logging
Question #217Information Systems Operations and Business Resilience
Which of the following should be done FIRST following an incident that has caused internal servers to be inaccessible, disrupting normal business operations?
Incident ResponseDigital ForensicsEvidence PreservationForensic Imaging
Question #218Information System Auditing Process
Which of the following would provide an IS auditor with the MOST comprehensive understanding of an organization's cybersecurity posture?
Cybersecurity PostureMaturity AssessmentAudit TechniquesInformation Security Governance
Question #219Information Systems Acquisition, Development, and Implementation
Which of the following scenarios poses the GREATEST security concern during the system development life cycle (SDLC)?
SDLC SecuritySecure ConfigurationVulnerability ManagementRisk Assessment
Question #220Protection of Information Assets
Which of the following is the BEST way for the auditor to ensure an organization has taken adequate steps to mitigate the risk of employees exfiltrating proprietary information?
Data Loss Prevention (DLP)Information Security ControlsData ProtectionRisk Mitigation
Question #221Governance and Management of IT
Which of the following is MOST helpful for evaluating benefits realized by IT projects?
Project evaluationBenefits realizationReturn on Investment (ROI)Post-implementation review
Question #222Protection of Information Assets
Which of the following is PRIMARILY used in blockchain technology to create a distributed immutable ledger?
Blockchain technologyCryptographyInformation security controlsDistributed Ledger Technology
Question #223Information System Auditing Process
Management has decided to accept a risk in response to a draft audit recommendation. Which of the following should be the IS auditor's NEXT course of action?
Audit ReportingManagement ResponseRisk Acceptance
Question #224Information Systems Operations and Business Resilience
Which of the following is the MOST cost-effective way to determine the effectiveness if a business continuity plan (BCP)?
Business Continuity Plan (BCP)BCP TestingTabletop ExerciseCost-effectiveness
Question #225Information Systems Acquisition, Development, and Implementation
An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor's BEST recommendation for the organizatio...
Source Code EscrowVendor ManagementBusiness Risk AssessmentApplication Lifecycle
Question #226Information System Auditing Process
At the end of each business day, a business-critical application generates a report of financial transactions greater than a certain value, and an employee then checks these transa...
Control TypesDetective ControlsApplication ControlsFinancial Transactions
Question #227Information Systems Operations and Business Resilience
Which of the following is the BEST way to verify the effectiveness of a data restoration process?
Data RestorationBackup VerificationBusiness Continuity TestingIT Operations Effectiveness
Question #228Information Systems Operations and Business Resilience
Which of the following is the MOST important consideration when establishing vulnerability scanning on critical IT infrastructure?
Vulnerability ScanningSystem PerformanceCritical InfrastructureOperational Impact
Question #229Information Systems Acquisition, Development, and Implementation
Which of the following is MOST important for an IS auditor to look for in a project feasibility study?
Project Feasibility StudyIS Audit RoleBenefit RealizationProject Justification
Question #230Information System Auditing Process
Which of the following is an IS auditor's BEST course of action when the auditee indicates that a corrective action plan for a high-risk finding will take longer than expected?
Audit Follow-upRisk ManagementCompensating Controls
Question #231Governance and Management of IT
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's IT process performance reports over the last quarter?
IT Performance ReportingKey Performance Indicators (KPIs)Audit Findings PrioritizationIT Governance Oversight
Question #232Protection of Information Assets
When protecting the confidentiality of information assets, the MOST effective control practice is the:
ConfidentialityAccess ControlNeed-to-knowInformation Security Controls
Question #233Information Systems Acquisition, Development, and Implementation
Which of the following is the BEST indication that a software development project is on track to meet its completion deadline?
Software Development Lifecycle (SDLC)Project ManagementUser Acceptance Testing (UAT)Project Tracking
Question #234Protection of Information Assets
What is the MOST effective way to detect installation of unauthorized software packages by employees?
Unauthorized softwareSoftware inventoryDetection controlsEndpoint security
Question #235Protection of Information Assets
Which of the following provides the BEST method for maintaining the security of corporate applications pushed to employee-owned mobile devices?
Mobile Device Management (MDM)BYOD SecurityMobile Application SecurityInformation Asset Protection
Question #236Information Systems Acquisition, Development, and Implementation
An IS auditor is reviewing an origination's release management practices and observes inconsistent and inaccurate estimation of the size and complexity of business application deve...
Software Project EstimationFunction Point AnalysisApplication DevelopmentIS Audit Recommendations
Question #237Protection of Information Assets
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) betw...
Network SecurityIntrusion Detection System (IDS)FirewallSecurity Architecture
Question #238Information Systems Operations and Business Resilience
Which of the following provides the MOST useful information for performing a business impact analysis (BIA)?
Business Impact AnalysisBusiness Continuity PlanningBusiness ResilienceBusiness Processes
Question #239Protection of Information Assets
An organization has decided to reengineer business processes to improve the performance of overall IT service delivery. Which of the following recommendations from the project team...
Operational LoggingSecurity ControlsAudit TrailsRisk Management
Question #240Information System Auditing Process
As part of an audit response, an auditee has concerns with the recommendations and is hesitant to implement them. Which of the following would be the BEST course of action for the...
Auditor-auditee interactionAudit recommendationsMitigation planningAudit follow-up
Question #241Protection of Information Assets
Which of the following can only be provided by asymmetric encryption?
Asymmetric EncryptionNonrepudiationCryptographyDigital Signatures
Question #242Governance and Management of IT
Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?
IT Portfolio ManagementRisk ManagementValue RealizationIT Governance
Question #243Information Systems Acquisition, Development, and Implementation
Which of the following is the BEST method to maintain an audit trail of changes made to the source code of a program?
Version controlSource code managementAudit trailSoftware development best practices
Question #244Information System Auditing Process
Attribute sampling is BEST suited to estimate:
Audit SamplingAttribute SamplingCompliance TestingAudit Techniques
Question #245Information Systems Acquisition, Development, and Implementation
Which of the following testing methods is MOST appropriate for assessing whether system integrity has been maintained after changes have been made?
Regression testingSoftware testingSystem integrityChange management
Question #246Information System Auditing Process
Which of the following is the PRIMARY reason for an IS audit manager to review the work performed by a senior IS auditor prior to presentation of a report?
Audit reviewAudit reportAudit conclusionsManagerial oversight
Question #247Information System Auditing Process
An organization is modernizing its technology policy framework to demonstrate compliance with external industry standards. Which of the following would be MOST useful to an IS audi...
ComplianceAudit EvidenceControl MappingPolicy Framework
Question #248Information Systems Operations and Business Resilience
The use of control totals reduces the risk of:
Control TotalsData IntegrityProcessing ControlsCompleteness
Question #249Information Systems Operations and Business Resilience
Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack?
RansomwareData RecoveryBackupsBusiness Resilience
Question #250Information Systems Operations and Business Resilience
Which of the following BEST indicates that an incident management process is effective?
Incident ManagementPerformance MetricsIT Service Management

PreviousPage 5 of 13Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.