Free CISA Certification Practice Exams

What is the most difficult aspect of drafting a service level agreement for network connectivity between a company and its external provider?

• ❏ A. Cloud Monitoring

• ❏ B. Ensuring compliance with privacy and data protection laws

• ❏ C. Defining the scope and the services covered by the agreement

• ❏ D. Establishing quantifiable performance metrics for the network service

Which control technique is used to detect missing records, altered data, and duplicate entries?

• ❏ A. Reasonableness checks

• ❏ B. Hash totals

• ❏ C. Sequence checks

Which capability should a network management system always provide to help administrators locate and understand how devices are connected?

• ❏ A. Ability to export logs and metrics for analysis in spreadsheet tools

• ❏ B. Cloud Monitoring

• ❏ C. Integration with an incident management system for creating tickets

• ❏ D. A visual topology map for tracing device links and dependencies

Which statement is not a characteristic of circuit switching?

• ❏ A. A dedicated end to end channel is established for the session

• ❏ B. Individual data packets can traverse many different paths to reach the destination

• ❏ C. After setup the data flow follows a fixed and uniform route

You are the information systems auditor for Arcadia Systems. You are evaluating methods to lower the risk when migrating to a replacement application that uses incompatible technologies compared with the legacy platform. Which approach will best diminish this transition risk?

• ❏ A. Blue green deployment

• ❏ B. Performing a full data transfer to the new platform

• ❏ C. Running the legacy and new systems concurrently

• ❏ D. Comprehensive end user training

What is the primary objective of conducting a post-incident review of an incident response?

• ❏ A. To notify regulators of the incident

• ❏ B. To evaluate how effectively the incident response was executed

• ❏ C. To preserve forensic evidence for legal or investigative needs

• ❏ D. To update training and incident response playbooks

Which risk response strategy requires putting checks and controls in place to lower the probability or impact of a threat?

• ❏ A. Transfer the risk

• ❏ B. Accept the risk

• ❏ C. Avoid the risk

• ❏ D. Mitigate the risk

Which method of creating policies is directed by senior leadership and informed by risk assessments to align with the organization’s priorities?

• ❏ A. Bottom up collaborative approach

• ❏ B. Top down approach

• ❏ C. Risk based approach

You are an information systems auditor at Meridian Systems and you are assessing the integration of two companies after a recent consolidation. You need to identify which post merger task an IS auditor should prioritize to protect ongoing operations and resilience. Which task should be given top priority?

• ❏ A. Conducting a comprehensive security evaluation of the combined IT environment

• ❏ B. Ensuring identity and access management is unified across both organizations

• ❏ C. Reviewing merger related legal contracts and compliance obligations

• ❏ D. Updating the business continuity and disaster recovery plan to reflect the merged entity

Which protocol secures email messages by providing encryption for confidentiality and digital signatures for authentication?

• ❏ A. DKIM

• ❏ B. S/MIME

• ❏ C. OpenPGP

When two retail chains exchange purchase orders through electronic data interchange why is it essential to enforce and continuously manage strong authentication?

• ❏ A. Transmission of incorrect transaction data

• ❏ B. Partial or incomplete message delivery resulting in partial records

• ❏ C. Execution of transactions by unauthorized entities

• ❏ D. Duplicate or replayed transactions causing unexpected orders

In the RACI model which role designates the individual who has ultimate oversight and accountability for a task?

• ❏ A. Responsible

• ❏ B. Accountable

• ❏ C. Consulted

Which data modeling approach describes how data will be physically stored formatted and accessed inside a database system?

• ❏ A. Logical data model

• ❏ B. Entity relationship model

• ❏ C. Conceptual data model

• ❏ D. Physical data model

What is the primary purpose of a single sign on system?

• ❏ A. Cloud Identity

• ❏ B. To permit users to authenticate once and gain access to multiple applications

• ❏ C. To reduce the risk of a single point of failure

Within an organization recovery plan which component specifies the duties and accountability of staff who will carry out recovery activities?

• ❏ A. Emergency Response Council (ERC)

• ❏ B. Business Continuity Lead (BCL)

• ❏ C. Recovery Operations Team (ROT)

• ❏ D. Recovery Playbooks

Which source of audit evidence is generally regarded as the most reliable?

• ❏ A. Evidence from the auditor’s procedures

• ❏ B. Confirmation from an independent external party

• ❏ C. Internally generated accounting report

• ❏ D. Oral statements from the client

Which choice describes a typical duty of an operating system access control rather than a database management system access control?

• ❏ A. Enforcing permissions on individual database fields

• ❏ B. Establishing individual user accountability for system actions

• ❏ C. Recording database access events for audit and monitoring

• ❏ D. Defining database user profiles and roles

In IT what is the primary purpose of a configuration baseline?

• ❏ A. Cloud Asset Inventory

• ❏ B. Reference for system software and hardware versions

• ❏ C. Support impact analysis of patches

In an enterprise network which method can detect transmission errors by appending specially calculated bits to the end of each data packet?

• ❏ A. Cyclic redundancy check

• ❏ B. Forward error correction

• ❏ C. Redundancy check

• ❏ D. Parity check

Which key does the recipient use to decrypt and verify a digital signature that was created by the sender?

• ❏ A. recipient’s private key

• ❏ B. sender’s public key

• ❏ C. recipient’s public key

Answers for the ISACA Sample Questions

All questions come from my CISA Udemy course and certificationexams.pro

The correct option is Establishing quantifiable performance metrics for the network service.

This option is correct because turning expectations about latency availability throughput and packet loss into precise numeric targets and reliable measurement methods is technically complex and often disputed by both parties.

Agreeing on where to measure how to measure which tools to use sampling intervals measurement windows and how to treat maintenance or attack conditions requires deep technical detail and clear definitions in the SLA for enforcement and remedies.

Cloud Monitoring is not the best answer because it is a monitoring tool that can capture metrics but it does not solve the core problem of defining which metrics and measurement methodologies belong in the SLA.

Ensuring compliance with privacy and data protection laws is important but this concern is typically addressed through legal clauses and data processing agreements and is not the primary technical difficulty of defining network performance metrics.

Defining the scope and the services covered by the agreement is a necessary step but it is usually more straightforward to list services and boundaries than to create precise measurable and enforceable performance metrics.

The correct option is Hash totals.

Hash totals are control totals that sum values that may not have business meaning so that missing records altered data or duplicated entries change the aggregate and can be detected when the totals are compared between systems or runs.

Hash totals work well in batch processing and file transfers because a changed record will normally alter the computed total even when the change is subtle so they provide a simple integrity check across many records.

Reasonableness checks focus on whether individual values fall within expected ranges or conform to business logic and they do not reliably detect missing records or duplicates.

Sequence checks verify the order of records and can reveal missing or out of sequence items but they do not detect altered data values and they will miss duplicates that preserve or repeat sequence identifiers.

A visual topology map for tracing device links and dependencies is the correct capability that a network management system should always provide to help administrators locate and understand how devices are connected.

A visual topology map displays devices as nodes and links as edges so administrators can follow paths and dependencies at a glance. This makes it much faster to pinpoint where a device sits in the network and to see which other devices or services will be affected by an outage or change.

Ability to export logs and metrics for analysis in spreadsheet tools is useful for historical analysis and offline investigation but it does not provide an immediate view of how devices are connected. Exported logs do not replace a real time visual representation of topology.

Cloud Monitoring provides metrics, dashboards, and alerting that help observe device health and performance but it does not inherently show a network topology or the links between devices. Monitoring and topology are complementary but different capabilities.

Integration with an incident management system for creating tickets helps manage and track responses to problems but it does not help administrators discover physical or logical connections between devices. Ticketing assists workflow rather than showing network layout.

Individual data packets can traverse many different paths to reach the destination is the correct statement that does not describe circuit switching.

Individual data packets can traverse many different paths to reach the destination describes packet switching where each packet can be routed independently and may take different routes to the destination. Circuit switching instead establishes a reserved path for the session so packets do not traverse many different paths.

A dedicated end to end channel is established for the session is incorrect because it accurately describes circuit switching. In circuit switching the network reserves a dedicated end to end channel for the duration of the connection.

After setup the data flow follows a fixed and uniform route is incorrect because that also matches circuit switching behavior. Once the circuit is set up the data follows the same fixed route for the lifetime of the session.

Running the legacy and new systems concurrently is correct. This approach, often called a parallel run, lets the organization operate both systems at the same time so you can validate the new application against real workloads while keeping the legacy platform available as a fallback.

Running both systems concurrently reduces transition risk because you can compare outputs and reconcile data before switching users over. It gives you time to identify functional gaps and integration issues and to correct them without interrupting business operations. It also preserves a clear rollback path so you can revert to the legacy system if critical problems appear during the migration.

Blue green deployment is not the best choice in this scenario because blue green is designed to swap traffic between two compatible environments for near zero downtime. Blue green assumes the new environment can take production traffic with minimal reconciliation and it does not solve fundamental incompatibilities in data models or long running integration work.

Performing a full data transfer to the new platform is risky on its own because moving data without running the new system in parallel removes the ability to validate processing and business logic under real conditions. A full transfer can leave you with no safe rollback and no opportunity to compare results against the legacy system.

Comprehensive end user training is valuable for adoption but it does not by itself reduce technical migration risk. Training helps users learn the new system but it does not address integration issues data mismatches or the need for live validation and fallback during the transition.

To evaluate how effectively the incident response was executed is the primary goal of a post incident review of an incident.

The post incident review is intended to assess how the team detected, contained and recovered from the incident and to measure performance against objectives and timelines. The review uncovers root causes, communication and coordination gaps, and tool or process deficiencies so that prioritized corrective actions can be agreed and tracked.

To update training and incident response playbooks is not the primary goal because updating playbooks and training are typical outputs of the review rather than its main purpose. Those updates follow from the lessons learned and the corrective actions identified during the evaluation.

To preserve forensic evidence for legal or investigative needs is not the primary goal because evidence preservation must occur during the active response to maintain chain of custody and integrity. The post incident review can examine whether preservation was handled correctly but it does not itself perform evidence collection.

To notify regulators of the incident is not the primary goal because regulatory notification is a compliance requirement with its own rules and timelines. The review may inform what was reported and when but notification is a separate activity that serves legal and regulatory obligations.

The correct option is Mitigate the risk. This choice matches the requirement to put checks and controls in place to lower the probability or impact of a threat.

Mitigate the risk means implementing security controls, process changes, or technical safeguards to reduce either the likelihood of an event or its consequences. Typical mitigation measures include patching, access controls, redundancy, and monitoring because these actions directly lower probability or impact.

Transfer the risk is incorrect because it shifts the financial or legal consequences to a third party rather than reducing the chance or severity of the threat. Insurance and contractual transfers do not by themselves implement controls to reduce likelihood.

Accept the risk is incorrect because it involves knowingly tolerating the risk without adding controls. Acceptance is chosen when the cost of further action outweighs the benefit and it does not lower probability or impact.

Avoid the risk is incorrect because it eliminates the activity that creates exposure instead of applying controls to reduce likelihood or damage. Avoidance removes the source of risk but it is not the same as putting checks in place to mitigate risk.

Top down approach is correct.

This approach is directed by senior leadership and uses risk assessments as input so that policies support organizational priorities and governance. Senior leaders set the objectives and priorities and risk information helps them decide which policies and controls require attention and resources.

Bottom up collaborative approach is incorrect because it describes policies that emerge from teams or stakeholders and may lack the explicit direction from senior leadership that the question requires. That grassroots method can be valuable for buy in but it does not match a model that is driven by organizational leadership.

Risk based approach is incorrect because while it emphasizes using risk assessments it does not by itself imply direction from senior leadership. The question asks for a method that is both directed by senior leadership and informed by risk assessments, so a purely risk based label does not capture the top level governance aspect.

The correct task to prioritize is Updating the business continuity and disaster recovery plan to reflect the merged entity.

Mergers typically change system dependencies, hosting locations, vendor relationships, and critical process mappings. Updating the business continuity and disaster recovery plan ensures recovery time objectives and recovery point objectives remain realistic and that recovery teams, alternate sites, backup strategies, and interdependencies are identified and tested for the combined organization. This work preserves ongoing operations and resilience while integration proceeds.

Conducting a comprehensive security evaluation of the combined IT environment is important but it is not the immediate priority for protecting ongoing operations. A full security assessment can follow once continuity controls are in place or it can be run in parallel with lower risk tasks so that critical services remain available during the review.

Ensuring identity and access management is unified across both organizations is essential for long term security and governance. It can however introduce access disruptions if done too quickly and it does not on its own guarantee that critical services will continue to operate during transition. BCDR updates reduce the operational risk from any access or integration failures.

Reviewing merger related legal contracts and compliance obligations is necessary for governance and regulatory standing. That review tends to affect legal exposure and longer term compliance work and does not directly restore or protect day to day operational resilience in the immediate post merger period.

The correct answer is S/MIME.

S/MIME secures email by providing end to end encryption and digital signatures using X.509 certificates. It encrypts the message body to protect confidentiality and it signs messages to authenticate the sender and ensure integrity. It is widely supported in major email clients and is the certificate based standard described in RFC 5751.

DKIM signs message headers with a domain key published in DNS and helps verify that a message was authorized by the sending domain and that headers were not tampered with. It does not provide end to end message encryption or user level digital signatures so it does not meet the requirement in the question.

OpenPGP is an alternative that does provide end to end encryption and digital signatures using a web of trust model. It is a valid technology for securing email but exams that expect a certificate based answer will choose S/MIME rather than OpenPGP.

The correct answer is Execution of transactions by unauthorized entities.

Strong authentication ensures that each electronic data interchange session and message can be traced to a verified trading partner. Without robust and continuously managed authentication an attacker or compromised credential can impersonate a partner and carry out transactions by unauthorized entities, which creates financial loss and supply chain disruption.

Continuous management matters because credentials and keys can be leaked, revoked, or expire. Regular rotation, monitoring, and use of multi factor and mutual TLS reduce the window in which an attacker can abuse access and prevent misuse that would lead to execution of transactions by unauthorized entities.

Transmission of incorrect transaction data is primarily an integrity and data validation issue. Schema validation, checksums, and end to end integrity checks address incorrect data and they do not by themselves prevent an unauthorized actor from submitting valid looking transactions.

Partial or incomplete message delivery resulting in partial records is a reliability and delivery guarantee problem. Acknowledgements, retries, transactional processing, and message queuing solve partial delivery and they are not solved by authentication alone.

Duplicate or replayed transactions causing unexpected orders is mainly an anti replay and idempotency concern. Timestamps, nonces, sequence numbers, and message signing prevent replayed messages and duplicates. Authentication helps establish identity, but anti replay controls are the primary defense.

The correct answer is Accountable.

In a RACI matrix the Accountable role is the individual who has the final ownership and oversight for the task and who must ensure that the work is completed and accepted. There is typically a single Accountable person per task to provide clear authority and responsibility for sign off.

The Responsible role is incorrect because Responsible refers to the person or people who actually perform the work and execute the task steps, and they do not hold the ultimate sign off.

The Consulted role is incorrect because Consulted denotes stakeholders or subject matter experts who provide input and feedback, and they are not accountable for completing or approving the task.

The correct option is Physical data model.

The Physical data model describes how data will be physically stored formatted and accessed inside a database system. It specifies table and column structures data types storage parameters indexes partitions constraints and DBMS specific features such as tablespaces storage engines and file layouts. Because it maps the logical design to an actual implementation the Physical data model directly addresses storage format and access patterns.

Logical data model is incorrect because it defines entities attributes and relationships with detailed structure and business rules but it does not specify DBMS specific storage formats or physical access methods. The logical model sits between conceptual design and physical implementation.

Entity relationship model is incorrect because it is a modeling notation used to represent entities and relationships and it is typically applied at the conceptual or logical level. It does not by itself define how data will be stored or accessed on disk.

Conceptual data model is incorrect because it captures high level business concepts and scope without technical or storage details. The conceptual model focuses on what the data means to the business rather than how the data will be implemented in a database system.

The correct option is To permit users to authenticate once and gain access to multiple applications.

Single sign on lets a user authenticate one time and then access multiple independent applications without having to sign in again for each one. This streamlines the user experience and reduces the number of credentials a user must manage while centralizing authentication for administrators.

Cloud Identity is a Google product that can enable single sign on and provide identity management features, but it is a product name rather than the definition of the single sign on concept and so it is not the correct answer to this question.

To reduce the risk of a single point of failure is incorrect because single sign on actually centralizes authentication and can become a single point of failure if it is not designed with redundancy and high availability. The primary purpose of SSO is to simplify authentication and access across applications rather than to remove single points of failure.

The correct option is Recovery Operations Team (ROT).

Recovery Operations Team (ROT) is the operational group that is assigned the duties and accountability for executing recovery activities. ROT defines specific roles and task owners, manages activation and coordination during an incident, and ensures that staff are accountable for completing each recovery step.

Emergency Response Council (ERC) is usually a governance or oversight body that provides strategic guidance and policy decisions.

ERC does not normally specify the detailed hands on duties and accountability for staff carrying out recovery tasks.

Business Continuity Lead (BCL) typically manages the continuity program and coordinates planning and decisions.

BCL may direct or support the recovery effort but this role by itself does not list every operational duty and accountable person for recovery activities.

Recovery Playbooks are procedural documents and checklists that the recovery team follows.

Recovery Playbooks describe the steps to take and provide guidance but they do not by themselves assign individual staff accountability or organize the team responsible for executing the work.

The correct answer is Confirmation from an independent external party.

Confirmation from an independent external party is most reliable because it is obtained from a source outside the entity and does not depend on management representation. External confirmations provide direct, third party corroboration and are usually documented which reduces the risk of bias or misstatement.

Evidence from the auditor’s procedures is not the best choice in this context because audit procedures do produce evidence but their reliability varies by type and by the source. Procedures performed by the auditor can be persuasive when they involve inspection or reperformance but they often do not replace independent external corroboration for third party balances.

Internally generated accounting report is less reliable because it originates within the entity and may reflect management judgments or errors. These reports generally need independent corroboration to be highly persuasive.

Oral statements from the client are the least reliable because they lack documentation and are subject to intentional or unintentional misstatement. Auditors typically seek written or external evidence to corroborate oral representations.

Establishing individual user accountability for system actions is correct. This is typically an operating system responsibility because the OS manages user identities, logins, process ownership, and the system level auditing that ties actions to individual accounts.

The operating system provides authentication services and maintains user identifiers and session information that let administrators attribute actions to specific users. The OS also controls system wide resources and records events such as logins and process creation so that accountability is meaningful across all software running on the host.

Enforcing permissions on individual database fields is incorrect because fine grained control at the column or field level is normally implemented by the database management system. DBMSs offer column privileges, views, and row level security that let you restrict access inside the database.

Recording database access events for audit and monitoring is incorrect because auditing of SQL statements, data reads and writes, and other database specific events is a core DBMS feature. Databases provide their own audit logs and monitoring mechanisms that complement, but are distinct from, OS logs.

Defining database user profiles and roles is incorrect because creating database users, roles, and profiles is a DBMS task. These constructs control permissions inside the database and are managed by the DBMS rather than by the operating system.

The correct answer is Reference for system software and hardware versions.

A configuration baseline is the authoritative record of approved system software and hardware versions and it provides a fixed point of reference for configuration management, compliance checks, and detecting configuration drift across systems.

Using a baseline makes it possible to audit systems against expected versions, prioritize remediation, and restore approved configurations when deviations are found.

Cloud Asset Inventory is primarily an inventory and discovery service for cloud resources and their metadata and it is not itself the definition of an approved configuration state, although inventory data can be used to build or verify a baseline.

Support impact analysis of patches refers to testing and change management activities that evaluate how patches affect systems and services and this is a process that may use a baseline but it is not the baseline’s primary purpose.

Redundancy check is the correct answer.

A Redundancy check detects transmission errors by appending specially calculated bits to a data packet so the receiver can verify integrity. The term describes the general approach of adding extra check bits and thus matches the question wording about appending bits to detect errors.

Cyclic redundancy check is incorrect because it is a specific algorithm that implements a redundancy check by calculating a polynomial checksum and appending those bits. It does perform the appended-bit detection but it is a particular method rather than the general category named in the question.

Forward error correction is incorrect because it adds redundant data to allow the receiver to correct errors as well as detect them. The emphasis of FEC is on correction and recovery rather than solely on detecting transmission errors.

Parity check is incorrect because it is a simple form of redundancy check that appends a single parity bit and can only detect certain error patterns. It is a specific, lightweight example of the broader redundancy check concept rather than the general term asked for here.

sender’s public key is correct because the recipient uses the sender’s public key to verify a digital signature that the sender created with their private key.

When the sender creates a digital signature they sign a hash of the message with their private key. The recipient computes the same hash and uses the sender’s public key to decrypt the signature and compare the hashes. If the values match then the recipient can confirm the message came from the sender and that it was not modified in transit.

recipient’s private key is incorrect because that key is owned by the recipient and is used to decrypt messages that were encrypted to the recipient. It cannot be used to verify a signature that was produced by the sender.

recipient’s public key is incorrect because the recipient’s public key relates to the recipient’s encryption and not to the sender’s signing process. The public key needed to verify the signature must be the sender’s public key.