CISA Exam Question 1
The PRIMARY purpose of an incident response plan is to:
Correct Answer: A
The primary purpose of an incident response plan is to reduce the impact of an adverse event on information assets. An incident response plan is a set of instructions and procedures that guide the organization's actions in the event of a security breach, cyberattack, or other disruption that affects its information systems and data.
An incident response plan aims to:
Detect and identify the incident as soon as possible.
Contain and isolate the incident to prevent further damage or spread.
Analyze and investigate the incident to determine its cause, scope, and impact.
Eradicate and eliminate the incident and its root causes from the affected systems and data.
Recover and restore the normal operations and functionality of the systems and data.
Learn and improve from the incident by documenting the lessons learned, best practices, and recommendations for future prevention and mitigation.
By following an incident response plan, the organization can minimize the negative consequences of an adverse event on its information assets, such as:
Loss or corruption of data or information.
Disclosure or theft of confidential or sensitive data or information.
Interruption or degradation of system or service availability or performance.
Legal or regulatory noncompliance or liability.
Financial or reputational loss or damage.
An incident response plan also helps the organization to demonstrate its due diligence and accountability in protecting its information assets and complying with its legal and contractual obligations.
The other options are not the primary purpose of an incident response plan, although they may be secondary benefits or outcomes of having one.
Increasing the effectiveness of preventive controls is not the primary purpose of an incident response plan.
Preventive controls are controls that aim to prevent or deter incidents from occurring in the first place, such as firewalls, antivirus software, encryption, authentication, etc. An incident response plan is a reactive control that deals with incidents after they have occurred. However, an incident response plan may help to improve the effectiveness of preventive controls by identifying and addressing their weaknesses or gaps.
Reducing the maximum tolerable downtime (MTD) of impacted systems is not the primary purpose of an incident response plan. MTD is a measure of how long an organization can tolerate a system or service outage before it causes unacceptable harm or loss to its business operations or objectives. An incident response plan may help to reduce the MTD of impacted systems by facilitating a faster and smoother recovery process.
However, reducing the MTD is not the main goal of an incident response plan, but rather a desired outcome.
Increasing awareness of impacts from adverse events to IT systems is not the primary purpose of an incident response plan. Awareness is a state of being informed or conscious of something. An incident response plan may help to increase awareness of impacts from adverse events to IT systems by providing information and communication channels for stakeholders, such as management, employees, customers, regulators, etc.
However, increasing awareness is not the main objective of an incident response plan, but rather a means to achieve other objectives, such as reducing impact, ensuring compliance, or maintaining trust.
An incident response plan aims to:
Detect and identify the incident as soon as possible.
Contain and isolate the incident to prevent further damage or spread.
Analyze and investigate the incident to determine its cause, scope, and impact.
Eradicate and eliminate the incident and its root causes from the affected systems and data.
Recover and restore the normal operations and functionality of the systems and data.
Learn and improve from the incident by documenting the lessons learned, best practices, and recommendations for future prevention and mitigation.
By following an incident response plan, the organization can minimize the negative consequences of an adverse event on its information assets, such as:
Loss or corruption of data or information.
Disclosure or theft of confidential or sensitive data or information.
Interruption or degradation of system or service availability or performance.
Legal or regulatory noncompliance or liability.
Financial or reputational loss or damage.
An incident response plan also helps the organization to demonstrate its due diligence and accountability in protecting its information assets and complying with its legal and contractual obligations.
The other options are not the primary purpose of an incident response plan, although they may be secondary benefits or outcomes of having one.
Increasing the effectiveness of preventive controls is not the primary purpose of an incident response plan.
Preventive controls are controls that aim to prevent or deter incidents from occurring in the first place, such as firewalls, antivirus software, encryption, authentication, etc. An incident response plan is a reactive control that deals with incidents after they have occurred. However, an incident response plan may help to improve the effectiveness of preventive controls by identifying and addressing their weaknesses or gaps.
Reducing the maximum tolerable downtime (MTD) of impacted systems is not the primary purpose of an incident response plan. MTD is a measure of how long an organization can tolerate a system or service outage before it causes unacceptable harm or loss to its business operations or objectives. An incident response plan may help to reduce the MTD of impacted systems by facilitating a faster and smoother recovery process.
However, reducing the MTD is not the main goal of an incident response plan, but rather a desired outcome.
Increasing awareness of impacts from adverse events to IT systems is not the primary purpose of an incident response plan. Awareness is a state of being informed or conscious of something. An incident response plan may help to increase awareness of impacts from adverse events to IT systems by providing information and communication channels for stakeholders, such as management, employees, customers, regulators, etc.
However, increasing awareness is not the main objective of an incident response plan, but rather a means to achieve other objectives, such as reducing impact, ensuring compliance, or maintaining trust.
CISA Exam Question 2
Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?
Correct Answer: C
The most concerning thing for an IS auditor reviewing an IT strategy document is that the strategic IT goals are derived solely from the latest market trends. An IT strategy document is a blueprint that defines how an organization will use technology to achieve its goals. It should be based on a thorough analysis of the organization's internal and external factors, such as its vision, mission, values, objectives, strengths, weaknesses, opportunities, threats, customers, competitors, regulations, and industry standards. An IT strategy document should also align with the organization's business strategy and reflect its unique needs and capabilities. If an IT strategy document is derived solely from the latest market trends, it may not be relevant or appropriate for the organization's specific situation. It may also lack coherence, consistency, feasibility, or sustainability.
The other options are not as concerning as option C. Target architecture is defined at a technical level is not a concern for an IS auditor reviewing an IT strategy document. Target architecture is the desired state of an organization's IT systems in terms of their structure, functionality, performance, security, interoperability, and integration. Defining target architecture at a technical level can help an IS auditor to understand how the organization plans to achieve its strategic IT goals and what technical requirements and standards it needs to follow. The previous year's IT strategic goals were not achieved is not a concern for an IS auditor reviewing an IT strategy document. The previous year's IT strategic goals are the outcomes that the organization intended to accomplish with its IT initiatives in the past year. Not achieving these goals may indicate some challenges or gaps in the organization's IT performance or execution. However, this does not necessarily affect the quality or validity of the current IT strategy document. An IS auditor should focus on evaluating whether the current IT strategy document is realistic, measurable, achievable, relevant, and time-bound.
Financial estimates of new initiatives are disclosed within the document is not a concern for an IS auditor reviewing an IT strategy document. Financial estimates are projections of the costs and benefits of new initiatives that are part of the IT strategy document. Disclosing financial estimates within the document can help an IS auditor to assess whether the new initiatives are aligned with the organization's budget and resources and whether they provide value for money. References: IT Strategy Template for a Successful Strategic Plan | Gartner, Definitive Guide to Developing anIT Strategy and Roadmap - CioPages, An Example of a Well-Developed IT Strategy Plan - Resolute
The other options are not as concerning as option C. Target architecture is defined at a technical level is not a concern for an IS auditor reviewing an IT strategy document. Target architecture is the desired state of an organization's IT systems in terms of their structure, functionality, performance, security, interoperability, and integration. Defining target architecture at a technical level can help an IS auditor to understand how the organization plans to achieve its strategic IT goals and what technical requirements and standards it needs to follow. The previous year's IT strategic goals were not achieved is not a concern for an IS auditor reviewing an IT strategy document. The previous year's IT strategic goals are the outcomes that the organization intended to accomplish with its IT initiatives in the past year. Not achieving these goals may indicate some challenges or gaps in the organization's IT performance or execution. However, this does not necessarily affect the quality or validity of the current IT strategy document. An IS auditor should focus on evaluating whether the current IT strategy document is realistic, measurable, achievable, relevant, and time-bound.
Financial estimates of new initiatives are disclosed within the document is not a concern for an IS auditor reviewing an IT strategy document. Financial estimates are projections of the costs and benefits of new initiatives that are part of the IT strategy document. Disclosing financial estimates within the document can help an IS auditor to assess whether the new initiatives are aligned with the organization's budget and resources and whether they provide value for money. References: IT Strategy Template for a Successful Strategic Plan | Gartner, Definitive Guide to Developing anIT Strategy and Roadmap - CioPages, An Example of a Well-Developed IT Strategy Plan - Resolute
CISA Exam Question 3
Which of the following biometric access controls has the HIGHEST rate of false negatives?
Correct Answer: B
Among the options provided, fingerprint scanning has the highest rate of false negatives. False negatives occur when a biometric system fails to recognize an authentic individual. Factors such as skin conditions (wet, dry, greasy), finger injuries, and inadequate scanning can contribute to false negatives in fingerprint scanning1. In comparison, iris recognition23, face recognition45, and retina scanning67 generally have lower rates of false negatives.
References:
How Accurate are today's Fingerprint Scanners? - Bayometric
25 Advantages and Disadvantages of Iris Recognition - Biometric Today
Iris Recognition Technology (or, Musings While Going through Airport ...
The Critics Were Wrong: NIST Data Shows the Best Facial Recognition Algorithms Are Neither Racist Nor Sexist | ITIF NIST Launches Studies into Masks' Effect on Face Recognition Software Retinal scan - Wikipedia How accurate are retinal security scans - Smart Eye Technology
References:
How Accurate are today's Fingerprint Scanners? - Bayometric
25 Advantages and Disadvantages of Iris Recognition - Biometric Today
Iris Recognition Technology (or, Musings While Going through Airport ...
The Critics Were Wrong: NIST Data Shows the Best Facial Recognition Algorithms Are Neither Racist Nor Sexist | ITIF NIST Launches Studies into Masks' Effect on Face Recognition Software Retinal scan - Wikipedia How accurate are retinal security scans - Smart Eye Technology
CISA Exam Question 4
During planning for a cloud service audit, audit management becomes aware that the assigned IS auditor is unfamiliar with the technologies in use and their associated risks to the business. To ensure audit quality, which of the following actions should audit management consider FIRST?
Correct Answer: C
The best action that audit management should consider first is to reassign the audit to an internal audit subject matter expert. This is because cloud service audits require specialized knowledge and skills to assess the risks and controls associated with the cloud service provider and the cloud service customer. An IS auditor who is unfamiliar with the technologies in use and their associated risks to the business may not be able to perform an effective and efficient audit, and may miss important issues or provide inaccurate recommendations.
Therefore, it is important to ensure that the IS auditor assigned to the cloud service audit has the appropriate competence and experience.
The other options are not as good as reassigning the audit to an internal audit subject matter expert.
Conducting a follow-up audit after a suitable period has elapsed may not address the quality issues of the initial audit, and may also delay the identification and remediation of any problems. Rescheduling the audit assignment for the next financial year may expose the organization to unnecessary risks and may not meet the audit objectives or expectations. Extending the duration of the audit to give the auditor more time may not be feasible or cost-effective, and may not guarantee that the auditor will acquire the necessary knowledge and skills in time.
References:
ISACA, CISA Review Manual, 27th Edition, 2019, p. 1391
ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2009, p. 14
Therefore, it is important to ensure that the IS auditor assigned to the cloud service audit has the appropriate competence and experience.
The other options are not as good as reassigning the audit to an internal audit subject matter expert.
Conducting a follow-up audit after a suitable period has elapsed may not address the quality issues of the initial audit, and may also delay the identification and remediation of any problems. Rescheduling the audit assignment for the next financial year may expose the organization to unnecessary risks and may not meet the audit objectives or expectations. Extending the duration of the audit to give the auditor more time may not be feasible or cost-effective, and may not guarantee that the auditor will acquire the necessary knowledge and skills in time.
References:
ISACA, CISA Review Manual, 27th Edition, 2019, p. 1391
ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2009, p. 14
CISA Exam Question 5
Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:
Correct Answer: B
Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is unchanged. This is because end users are still the ultimate customers and beneficiaries of the system, and they need to ensure that the software package meets their requirements, expectations, and satisfaction. End user testing, also known as user acceptance testing (UAT) or beta testing, is the final stage of testing performed by the user or client to determine whether the software can be accepted or not1. Enduser testing is important for both in-house developed and acquired software packages, as it helps to verify the functionality, usability, performance, and reliability of the system2. End user testing also helps to identify and resolve any defects, errors, or issues that may not have been detected by the developers or vendors3.
Therefore, option B is the correct answer.
Option A is not correct because end user testing is not eliminated by acquiring a software package. Even though the software package may have been tested by the vendor or supplier, it may still have bugs, compatibility issues, or configuration problems that need to be fixed before deployment4. Option C is not correct because end user testing is not increased by acquiring a software package. The scope and extent of end user testing depend on various factors, such as the complexity, criticality, and customization of the system, and not on whether it is developed in-house or acquired. Option D is not correct because end user testing is not reduced by acquiring a software package. The software package may still require modifications or integrations to suit the specific needs and environment of the organization, and these changes need to be tested by the end users.
References:
Chapter 4 Methods of Software Acquisition5
What is User Acceptance Testing (UAT): A Complete Guide1
What Is End-to-End Testing? (With How-To and Example)3
How to Evaluate New Software in 5 Steps4
User Acceptance Testing (UAT) in ERP Projects
User Acceptance Testing for Packaged Software
Therefore, option B is the correct answer.
Option A is not correct because end user testing is not eliminated by acquiring a software package. Even though the software package may have been tested by the vendor or supplier, it may still have bugs, compatibility issues, or configuration problems that need to be fixed before deployment4. Option C is not correct because end user testing is not increased by acquiring a software package. The scope and extent of end user testing depend on various factors, such as the complexity, criticality, and customization of the system, and not on whether it is developed in-house or acquired. Option D is not correct because end user testing is not reduced by acquiring a software package. The software package may still require modifications or integrations to suit the specific needs and environment of the organization, and these changes need to be tested by the end users.
References:
Chapter 4 Methods of Software Acquisition5
What is User Acceptance Testing (UAT): A Complete Guide1
What Is End-to-End Testing? (With How-To and Example)3
How to Evaluate New Software in 5 Steps4
User Acceptance Testing (UAT) in ERP Projects
User Acceptance Testing for Packaged Software
- Other Version
- 1763ISACA.CISA.v2025-06-11.q606
- 2203ISACA.CISA.v2023-03-04.q272
- 2310ISACA.CISA.v2022-10-31.q203
- 2424ISACA.CISA.v2022-03-29.q126
- 123ISACA.Examprepaway.CISA.v2022-02-10.by.barret.126q.pdf
- 8563ISACA.CISA.v2021-11-29.q567
- 36ISACA.Actualvce.CISA.v2021-08-31.by.ralap.101q.pdf
- Latest Upload
- 197ISACA.CGEIT.v2025-09-19.q537
- 149Fortinet.FCP_FWF_AD-7.4.v2025-09-18.q62
- 153Scrum.SAFe-Practitioner.v2025-09-18.q63
- 141Workday.Workday-Prism-Analytics.v2025-09-17.q17
- 130Oracle.1Z0-1055-24.v2025-09-17.q28
- 128Oracle.1Z1-182.v2025-09-17.q32
- 226Nutanix.NCP-US-6.5.v2025-09-16.q73
- 254Oracle.1z0-071.v2025-09-16.q232
- 193Oracle.1Z1-922.v2025-09-16.q125
- 309CyberArk.PAM-CDE-RECERT.v2025-09-15.q100
[×]
Download PDF File
Enter your email address to download ISACA.CISA.v2025-06-20.q647 Practice Test