Updated CISA Certified Information Systems Auditor Certification Dumps

Certified Information Systems Auditor CISA issued by ISACA validate your expertise and get the leverage you need to move up in your career. CISA is world-renowned as the standard of achievement for those who audit, control, monitor and assess an organization’s information technology and business systems. To improve your preparation of ISACA CISA exam, we have updated CISA dumps questions to ensure that you can pass CISA certification exam.

It is great to test CISA free dumps online first.

1. A shared resource matrix is a technique commonly used to locate:

 
 
 
 

2. You are part of a security staff at a highly profitable bank and each day, all traffic on the network is logged for later review. Every Friday when major deposits are made you’re seeing a series of bits placed in the "Urgent Pointer" field of a TCP packet.

This is only 16 bits which isn’t much but it concerns you because:

 
 
 
 

3. John is the product manager for an information system. His product has undergone under security review by an IS auditor. John has decided to apply appropriate security controls to reduce the security risks suggested by an IS auditor.

Which of the following technique is used by John to treat the identified risk provided by an IS auditor?

 
 
 
 

4. Sam is the security Manager of a financial institute. Senior management has requested he performs a risk analysis on all critical vulnerabilities reported by an IS auditor. After completing the risk analysis, Sam has observed that for a few of the risks, the cost benefit analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred.

What kind of a strategy should Sam recommend to the senior management to treat these risks?

 
 
 
 

5. Which of the following risk handling technique involves the practice of being proactive so that the risk in question is not realized?

 
 
 
 

6. Which of the following control is intended to discourage a potential attacker?

 
 
 
 

7. Which of the following security control is intended to avoid an incident from occurring?

 
 
 
 

8. Which of the following control fixes a component or system after an incident has occurred?

 
 
 
 

9. Which of the following security control is intended to bring environment back to regular operation?

 
 
 
 

10. Which of the following control helps to identify an incident’s activities and potentially an intruder?

 
 
 
 

11. Which of the following control provides an alternative measure of control?

 
 
 
 

12. Which of the following is NOT an example of preventive control?

 
 
 
 

13. Which of the following is NOT an example of corrective control?

 
 
 
 

14. Which of the following audit include specific tests of control to demonstrate adherence to specific regulatory or industry standard?

 
 
 
 

15. Which of the following audit assess accuracy of financial reporting?

 
 
 
 

16. Which of the following audit is mainly designed to evaluate the internal control structure in a given process or area?

 
 
 
 

17. Which of the following audit combines financial and operational audit steps?

 
 
 
 

18. Which of the following audit mainly focuses on discovering and disclosing on frauds and crimes?

 
 
 
 

19. Which of the following audit risk is related to exposure of a process or entity to be audited without taking into account the control that management has implemented?

 
 
 
 

20. Which of the following audit risk is related to material error exist that would not be prevented or detected on timely basis by the system of internal controls?

 
 
 
 

21. Which of the following audit risk is related to material errors or misstatements that have occurred that will not be detected by an IS auditor?

 
 
 
 

22. Which of the following statement INCORRECTLY describes the Control self-assessment (CSA) approach?

 
 
 
 

23. Which of the following statement INCORRECTLY describes the traditional audit approach in comparison to the Control self-assessment approach?

 
 
 
 

24. Which of the following is the most important benefit of control self-assessment (CSA)?

 
 
 
 

25. Which of the following testing procedure is used by the auditor during accounting audit to check errors in balance sheet and other financial documentation?

 
 
 
 

26. Which of the following testing procedure is used by an auditor to check whether a firm is following the rules and regulations applicable to an activity or practice?

 
 
 
 

27. What are the different types of Audits?

 
 
 
 

28. Statistical sampling is NOT based on which of the following audit sample techniques?

 
 
 
 

29. An organization performs nightly backups but does not have a formal policy. An IS auditor should FIRST:

 
 
 
 

30. An IS auditor reviewing an organization’s data privacy controls observes that privacy notices do not clearly state how the organization uses customer data for its processing operations.

Which of the following data protection principles MUST be implemented to address this gap?

 
 
 
 

31. An IS auditor discovers that validation controls in a web application have been moved from the server side into the browser to boost performance. This would MOST likely increase the risk of a successful attack by:

 
 
 
 

32. In a follow-up audit, an IS auditor notes that management has addressed the original findings in a different way than originally agreed upon. The auditor should FIRST:

 
 
 
 

33. An organization is considering outsourcing the processing of customer insurance claims. An IS auditor notes that customer data will be sent offshore for processing.

Which of the following would be the BEST way to address the risk of exposing customer data?

 
 
 
 

34. An IS audit team is evaluating the documentation related to the most recent application user-access review performed by IT and business management. It is determined the user list was not system-generated.

Which of the following should be the GREATEST concern?

 
 
 
 

35. Which of the following should an IS auditor determine FIRST when evaluating additional hardware required to support the acquisition of a new accounting system?

 
 
 
 

36. A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged.

Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?

 
 
 
 

37. An IS auditor submitted audit reports and scheduled a follow-up audit engagement with a client. The client has requested to engage the services of the same auditor to develop enhanced controls.

What is the GREATEST concern with this request?

 
 
 
 

38. An IS auditor is evaluating the completeness of privacy procedures involving personally identifiable information (PII).

Which of the following is MOST important for the auditor to verify is included in the procedures?

 
 
 
 

39. The risk that the IS auditor will not find an error that has occurred is identified by which of the following terms?

 
 
 
 

40. An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities.

Which of the following is the BEST recommendation by the IS auditor?

 
 
 
 

41. An IS auditor reviewing a new application for compliance with information privacy principles should be the MOST concerned with:

 
 
 
 

42. Which of the following is the PRIMARY reason for an IS auditor to issue an interim audit report?

 
 
 
 

43. Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack encrypted data at rest?

 
 
 
 

44. In which of the following SDLC phases would the IS auditor expect to find that controls have been incorporated into system specifications?

 
 
 
 

45. An IS auditor has been invited to join an IT project team responsible for building and deploying a new digital customer marketing platform.

Which of the following is the BEST way for the auditor to support this project while maintaining independence?

 
 
 
 

46. An IS auditor observes a system performance monitoring tool which states that a server critical to the organization averages high CPU utilization across a cluster of four virtual servers throughout the audit period. To determine if further investigation is required, an IS auditor should review:

 
 
 
 

47. An IS auditor has discovered that a cloud-based application was not included in an application inventory that was used to confirm the scope of an audit. The business process owner explained that the application will be audited by a third party in the next year.

The auditor’s NEXT step should be to:

 
 
 
 

48. Which of the following should MOST concern an IS auditor reviewing an intrusion detection system (IDS)?

 
 
 
 

49. Multiple invoices are usually received for individual purchase orders, since purchase orders require staggered delivery dates.

Which of the following is the BEST audit technique to test for duplicate payments?

 
 
 
 

50. An IS auditor considering the risks associated with spooling sensitive reports for off-line printing will be the MOST concerned that:

 
 
 
 

51. In a data center audit, an IS auditor finds that the humidity level is very low.

The IS auditor would be MOST concerned because of an expected increase in:

 
 
 
 

52. Before concluding that internal controls can be relied upon, the IS auditor should:

 
 
 
 

53. The IS auditor has identified a potential fraud perpetrated by the network administrator.

The IS auditor should:

 
 
 
 

54. Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

 
 
 
 

55. Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise e-mail?

 
 
 
 

56. Which of the following should be established FIRST when initiating a control self-assessment program in a small organization?

 
 
 
 

57. What is an IS auditor’s BEST course of action if informed by a business unit’s representatives that they are too busy to cooperate with a scheduled audit?

 
 
 
 

58. An IS auditor has completed an audit of an organization’s accounts payable system.

Which of the following should be rated as the HIGHEST risk in the audit report and requires immediate remediation?

 
 
 
 

59. An IS auditor is planning on utilizing attribute sampling to determine the error rate for health care claims processed.

Which of the following factors will cause the sample size to decrease?

 
 
 
 

60. Which of the following is the PRIMARY benefit of using an integrated audit approach?

 
 
 
 

61. Which of the following is an analytical review procedure for a payroll system?

 
 
 
 

62. An IS auditor observes that the CEO has full access to the enterprise resource planning (ERP) system. The IS auditor should FIRST:

 
 
 
 

63. Two servers are deployed in a cluster to run a mission-critical application.

To determine whether the system has been designed for optimal efficiency, the IS auditor should verify that:

 
 
 
 

64. The GREATEST risk when performing data normalization is:

 
 
 
 

65. An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code.

What is the auditor’s BEST recommendation for the organization?

 
 
 
 

66. Which of the following is the BEST way to evaluate the effectiveness of access controls to an internal network?

 
 
 
 

67. An IS auditor finds a number of system accounts that do not have documented approvals.

Which of the following should be performed FIRST by the auditor?

 
 
 
 

68. An IS auditor is a member of an application development team that is selecting software.

Which of the following would impair the auditor’s independence?

 
 
 
 

69. An internal control audit has revealed a control deficiency related to a legacy system where the compensating controls no longer appear to be effective.

Which of the following would BEST help the information security manager determine the security requirements to resolve the control deficiency?

 
 
 
 

70. An audit of the quality management system (QMS) begins with an evaluation of the:

 
 
 
 

71. An IS auditor has completed an audit on the organization’s IT strategic planning process.

Which of the following findings should be given the HIGHEST priority?

 
 
 
 

72. Which of the following would provide the BEST evidence of successfully completed batch uploads?

 
 
 
 

73. An IS auditor is conducting a review of a healthcare organization’s IT policies for handling medical records.

Which of the following is MOST important to verify?

 
 
 
 

74. Audit management has just completed the annual audit plan for the upcoming year, which consists entirely of high-risk processes.

However, it is determined that there are insufficient resources to execute the plan.

What should be done NEXT?

 
 
 
 

75. If concurrent update transactions to an account are not processed properly, which of the following will be affected?

 
 
 
 

76. When conducting a review of security incident management, an IS auditor found there are no defined escalation processes. All incidents are managed by the service desk.

Which of the following should be the auditor’s PRIMARY concern?

 
 
 
 

77. Which of the following should an IS auditor be MOST concerned with during a post-implementation review?

 
 
 
 

78. An IS auditor is reviewing a bank’s service level agreement (SLA) with a third-party provider that hosts the bank’s secondary data center.

Which of the following findings should be of GREATEST concern to the auditor?

 
 
 
 

79. Which of the following is the MOST appropriate responsibility of an IS auditor involved in a data center renovation project?

 
 
 
 

80. Which of the following is MOST important for an IS auditor to determine when reviewing how the organization’s incident response team handles devices that may be involved in criminal activity?

 
 
 
 

81. During a follow-up audit, an IS auditor learns the organization implemented an automated process instead of the originally agreed upon enhancement of the manual process.

The auditor should:

 
 
 
 

82. During a privileged access review, an IS auditor observes many help desk employees have privileges within systems not required for their job functions.

Implementing which of the following would have prevented this situation?

 
 
 
 

83. Management disagrees with a finding in a draft audit report and provides supporting documentation.

Which of the following should be the IS auditor’s NEXT course of action?

 
 
 
 

84. Which of the following audit techniques is MOST appropriate for verifying application program controls?

 
 
 
 

85. A business has requested an IS audit to determine whether information stored in an application system is adequately protected.

Which of the following is the MOST important action before the audit work begins?

 
 
 
 

86. Which audit technique provides the GREATEST assurance that incident management procedures are effective?

 
 
 
 

87. Which of the following findings would be of MOST concern to an IS auditor performing a review of an end-user developed application that generates financial statements?

 
 
 
 

88. An organization plans to deploy Wi-Fi location analytics to count the number of shoppers per day across its various retail outlets.

What should the IS auditor recommend as the FIRST course of action by IT management?

 
 
 
 

89. An IS auditor discovered abnormalities in a monthly report generated from a system upgraded six months ago.

Which of the following should be the auditor’s FIRST course of action?

 
 
 
 

90. When auditing the effectiveness of a biometric system, which of the following indicators would be MOST important to review?

 
 
 
 

91. An IS auditor conducting audit follow-up activities learns that some previously agreed-upon corrective actions have not been taken and that the associated risk has been accepted by senior management.

If the auditor disagrees with management’s decision, what is the BEST way to address the situation?

 
 
 
 

92. During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS).

Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?

 
 
 
 

93. An organization is concerned about duplicate vendor payments on a complex system with a high volume of transactions.

Which of the following would be MOST helpful to an IS auditor to determine whether duplicate vendor payments exist?

 
 
 
 

94. The MAIN benefit of using an integrated test facility (ITF) as an online auditing technique is that it enables:

 
 
 
 

95. When evaluating the ability of a disaster recovery plan to enable the recovery of IT processing capabilities, it is MOST important for the IS auditor to verify the plan is:

 
 
 
 

96. An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found.

Which sampling method would be appropriate?

 
 
 
 

97. Assessments of critical information systems are based on a cyclical audit plan that has not been updated for several years.

Which of the following should the IS auditor recommend to BEST address this situation?

 
 
 
 

98. An IS auditor is assessing risk associated with peer-to-peer file sharing within an organization.

Which of the following should be of GREATEST concern?

 
 
 
 

99. An IS auditor is reviewing an organization’s incident management processes and procedures. which of the following observations should be the auditor’s GREATEST concern?

 
 
 
 

100. During an IS audit, is discovered that security configurations differ across the organization’s virtual server farm.

Which of the following is the IS auditor’s BEST recommendation for improving the control environment?

 
 
 
 

101. A senior auditor is reviewing work papers prepared by a junior auditor indicating that a finding was removed after the auditee said they corrected the problem.

Which of the following would be the MOST appropriate course of action for the senior auditor?

 
 
 
 

102. An IS auditor is conducting a pre-implementation review to determine a new system’s production readiness. The auditor’s PRIMARY concern should be whether:

 
 
 
 

103. An IS auditor reviewing the threat assessment for a data center would be MOST concerned if:

 
 
 
 

104. When following up on a data breach, an IS auditor finds a system administrator may have compromised the chain of custody.

Which of the following should the system administrator have done FIRST to preserve the evidence?

 
 
 
 

105. Which of the following should an IS auditor verify when auditing the effectiveness of virus protection?

 
 
 
 

106. Which of the following should be reviewed FIRST when planning an IS audit?

 
 
 
 

107. An IS auditor is evaluating a virtual server environment and learns that the production server, development server, and management console are housed in the same physical host.

What should be the auditor’s PRIMARY concern?

 
 
 
 

108. An organization’s disposal policy emphasizes obtaining maximum value for surplus IT media. The IS auditor should obtain assurance that:

 
 
 
 

109. An auditor notes the administrator user ID is shared among three financial managers to perform month-end updates.

Which of the following is the BEST recommendation to ensure the administrator ID in the financial system is controlled effectively?

 
 
 
 

110. Which of the following is MOST important for an IS auditor to verify after finding repeated unauthorized access attempts were recorded on a security report?

 
 
 
 

111. An IS auditor is involved with a project and finds an IT project stakeholder wants to make a change that could affect both the project scope and schedule.

Which of the following would be the MOST appropriate action for the project manager with respect to the change request?

 
 
 
 

112. Which of the following should an IS auditor expect to see in a network vulnerability assessment?

 
 
 
 

113. An IS auditor is evaluating the security of an organization’s data backup process, which includes the transmission of daily incremental backups to a dedicated offsite server.

Which of the following findings poses the GREATEST risk to the organization?

 
 
 
 

114. When continuous monitoring systems are being implemented, an IS auditor should FIRST identify:

 
 
 
 

115. During a follow-up audit, an IS auditor concludes that a previously identified issue has not been adequately remediated. The auditee insists the risk has been addressed. The auditor should:

 
 
 
 

116. An organization allows employee use of personal mobile devices for corporate email.

Which of the following should be the GREATEST IS audit concern?

 
 
 
 

117. Which of the following findings would be of GREATEST concern to an IS auditor reviewing an organization’s newly implemented online security awareness program?

 
 
 
 

118. What would be of GREATEST concern to an IS auditor observing shared key cards being utilized to access an organization’s data center?

 
 
 
 

119. Which of the following is MOST important for an IS auditor to ensure is included in a global organization’s online data privacy notification to customers?

 
 
 
 

120. While planning a security audit, an IS auditor is made aware of a security review carried out by external consultants. It is MOST important for the auditor to:

 
 
 
 

121. Which of the following is the BEST IS audit strategy?

 
 
 
 

122. Which of the following is MOST important for an IS auditor to review when evaluating the effectiveness of an organization’s incident response process?

 
 
 
 

123. Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm for potential software vulnerabilities?

 
 
 
 

124. An internal audit department recently established a quality assurance (QA) program.

Which of the following activities is MOST important to include as part of the QA program requirements?

 
 
 
 

125. An IS auditor is mapping controls to risk for an accounts payable system.

What is the BEST control to detect errors in the system?

 
 
 
 

126. When auditing a quality assurance plan, an IS auditor should be MOST concerned if the:

 
 
 
 

127. The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?

 
 
 
 

128. An IS audit manager has been asked to perform a quality review on an audit that the same manager also supervised.

Which of the following is the manager’s BEST response to this situation?

 
 
 
 

129. While reviewing similar issues in an organization’s help desk system, an IS auditor finds that they were analyzed independently and resolved differently. This situation MOST likely indicates a deficiency in:

 
 
 
 

130. An auditor is creating an audit program in which the objective is to establish the adequacy of personal data privacy controls in a payroll process.

Which of the following would be MOST important to include?

 
 
 
 

131. An IS auditor auditing the effectiveness of utilizing a hot site will MOST likely:

 
 
 
 

132. An IS auditor has assessed a payroll service provider’s security policy and finds significant topics are missing.

Which of the following is the auditor’s BEST course of action?

 
 
 
 

133. While reviewing a hot site, the IS auditor discovers that one type of hardware platform is not installed. The IS auditor should FIRST:

 
 
 
 

134. An IS auditor is reviewing the upgrading of an operating system.

Which of the following would be the GREATEST audit concern?

 
 
 
 

135. An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank’s customers.

Which of the following controls is MOST important for the auditor to confirm it in place?

 
 
 
 

136. Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?

 
 
 
 

137. An IS auditor has obtained a large data set containing multiple fields and non-numeric data for analysis.

Which of the following activities will MOST improve the quality of conclusions derived from the use of a data analytics tool for this audit?

 
 
 
 

138. Which of the following is the MOST important requirement for an IS auditor to evaluate when reviewing a transmission of personally identifiable information between two organizations?

 
 
 
 

139. An IS auditor reviewed the business case for a proposed investment to virtualize an organization’s server infrastructure.

Which of the following is MOST likely to be included among the benefits in the project proposal?

 
 
 
 

140. Which of the following is the BEST way to facilitate proper follow-up for audit findings?

 
 
 
 

141. Which of the following would be the MOST efficient audit approach, given that a compliance-based approach was adopted in the previous year?

 
 
 
 

142. An IS auditor will be testing accounts payable controls by performing data analytics on the entire population transactions.

Which of the following is MOST important for the auditor to confirm when sourcing the population data?

 
 
 
 

143. Which of the following should the IS auditor use to BEST determine whether a project has met its business objectives?

 
 
 
 

144. An IS auditor is observing transaction processing and notes that a high-priority update job ran out of sequence.

What is the MOST significant risk from this observation?

 
 
 
 

145. Which of the following would be best suited to oversee the development of an information security policy?

 
 
 
 

146. Which of the following is the MOST important aspect relating to employee termination?

 
 
 
 

147. In which of the following cloud computing service model are applications hosted by the service provider and made available to the customers over a network?

 
 
 
 

148. Which of the following cloud computing service model provides a way to rent operating systems, storage and network capacity over the Internet?

 
 
 
 

149. Which of the following cloud computing service model is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components?

 
 
 
 

150. Which of the following cloud deployment model operates solely for an organization?

 
 
 
 

151. Which of the following cloud deployment model can be shared by several organizations?

 
 
 
 

152. Which of the following cloud deployment model is provisioned for open use by the general public?

 
 
 
 

153. Which of the following cloud deployment model is formed by the composition of two or more cloud deployment mode?

 
 
 
 

154. Which of the following step of PDCA establishes the objectives and processes necessary to deliver results in accordance with the expected output?

 
 
 
 

155. Which of the following step of PDCA implement the plan, execute the process and make product?

 
 
 
 

156. Which of the following step of PDCA study the actual result and compares it against the expected result?

 
 
 
 

157. Which of the following step of PDCA request a corrective actions on significant differences between the actual versus the planned result?

 
 
 
 

158. Which of the following answer specifies the correct sequence of levels within the Capability Maturity Model (CMM)?

 
 
 
 

159. Which of the following dynamic interaction of a Business Model for Information Security (BMIS) is a pattern of behaviors, effects, assumptions, attitude and ways of doing things?

 
 
 
 

160. Which of the following dynamic interaction of a Business Model for Information Security (BMIS) is a place to introduce possible solutions such as feedback loops; alignment with process improvement; and consideration of emergent issues in system design life cycle, change control, and risk management?

 
 
 
 

161. A maturity model can be used to aid the implementation of IT governance by identifying:

 
 
 
 

162. The effectiveness of an information security governance framework will BEST be enhanced if:

 
 
 
 

163. Which of the following is the MOST important requirement for the successful implementation of security governance?

 
 
 
 

164. Which of the following BEST demonstrates effective information security management within an organization?

 
 
 
 

165. A multinational organization is introducing a security governance framework. The information security manager’s concern is that regional security practices differ.

Which of the following should be evaluated FIRST?

 
 
 
 

166. When facilitating the alignment of corporate governance and information security governance, which of the following is the MOST important role of an organization’s security steering committee?

 
 
 
 

167. Which of the following is a PRIMARY responsibility of an information security governance committee?

 
 
 
 

168. What is the MOST effective way to ensure security policies and procedures are up-to-date?

 
 
 
 

169. Which of the following is the PRIMARY advantage of having an established information security governance framework in place when an organization is adopting emerging technologies?

 
 
 
 

170. From a risk management perspective, which of the following is MOST important to be tracked in continuous monitoring?

 
 
 
 

171. Which of the following should be the PRIMARY objective of an information security governance framework?

 
 
 
 

172. An organization has developed mature risk management practices that are followed across all departments.

What is the MOST effective way for the audit team to leverage this risk management maturity?

 
 
 
 

173. Which of the following findings would be of GREATEST concern to an IS auditor performing an information security audit of critical server log management activities?

 
 
 
 

174. The BEST way to validate whether a malicious act has actually occurred in an application is to review:

 
 
 
 

175. A vulnerability in which of the following virtual systems would be of GREATEST concern to the IS auditor?

 
 
 
 

176. An IS auditor finds that application servers had inconsistent configurations leading to potential security vulnerabilities.

Which of the following should the auditor recommend FIRST?

 
 
 
 

177. Implementing a strong password policy is part of an organization’s information security strategy for the year. A business unit believes the strategy may adversely affect a client’s adoption of a recently developed mobile application and has decided not to implement the policy.

Which of the following would be the information security manager’s BEST course of action?

 
 
 
 

178. In a multinational organization, local security regulations should be implemented over global security policy because:

 
 
 
 

179. Which of the following is a step in establishing a security policy?

 
 
 
 

180. A large number of exceptions to an organization’s information security standards have been granted after senior management approved a bring your own device (BYOD) program.

To address this situation, it is MOST important for the information security manage to:

 
 
 
 

181. Which of the following is MOST important for the IS auditor to verify when reviewing the development process of a security policy?

 
 
 
 

182. Which of the following should be the PRIMARY reason to establish a social media policy for all employees?

 
 
 
 

183. An internal IS auditor discovers that a service organization did not notify its customers following a data breach.

Which of the following should the auditor do FIRST?

 
 
 
 

184. A small organization is experiencing rapid growth and plans to create a new information security policy.

Which of the following is MOST relevant to creating the policy?

 
 
 
 

185. A CEO requests access to corporate documents from a mobile device that does not comply with organizational policy. The information security manager should FIRST:

 
 
 
 

186. Which of the following is MOST important to consider when developing a bring your own device (BYOD) policy?

 
 
 
 

187. An information security team has discovered that users are sharing a login account to an application with sensitive information, in violation of the access policy. Business management indicates that the practice creates operational efficiencies. The information security manager’s BEST course of action should be to:

 
 
 
 

188. A policy has been established requiring users to install mobile device management (MDM) software on their personal devices.

Which of the following would BEST mitigate the risk created by noncompliance with this policy?

 
 
 
 

189. To address the issue that performance pressures on IT may conflict with information security controls, it is MOST important that:

 
 
 
 

190. The objectives of business process improvement should PRIMARILY include:

 
 
 
 

191. During a review of the IT strategic plan, an IS auditor finds several IT initiatives focused on delivering new systems and technology are not aligned with the organization’s strategy. Witch of the following would be the IS auditor’s BEST recommendation?

 
 
 
 

192. An organization has outsourced some of its subprocesses to a service provider. When scoping the audit of the provider, the organization’s internal auditor should FIRST:

 
 
 
 

193. An organization was severely impacted after an advanced persistent threat (APT) attack. Afterwards, it was found that the initial breach happened a month prior to the attack. Management’s GREATEST concern should be:

 
 
 
 

194. Software quality assurance (QA) reviews are planned as part of system development. At which stage in the development process should the first review be initiated?

 
 
 
 

195. An organization has made a strategic decision to split into separate operating entities to improve profitability.

However, the IT infrastructure remains shared between the entities.

Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?

 
 
 
 

196. An IS auditor determines that an online retailer processing credit card information does not have a data classification process. The auditor’s NEXT step should be to:

 
 
 
 

197. An IS auditor is reviewing an organization’s network vulnerability scan results.

Which of the following processes would the scan results MOST likely feed into?

 
 
 
 

198. A core business unit relies on an effective legacy system that does not meet the current security standards and threatens the enterprise network.

Which of the following is the BEST course of action to address the situation?

 
 
 
 

199. Which of the following would BEST enable effective decision-making?

 
 
 
 

200. A critical server for a hospital has been encrypted by ransomware. The hospital is unable to function effectively without this server.

Which of the following would MOST effectively allow the hospital to avoid paying the ransom?

 
 
 
 

201. Which of the following security processes will BEST prevent the exploitation of system vulnerabilities?

 
 
 
 

CISM Practice Exam Dumps Can Help You Prepare Exam Well
Certified Information Systems Auditor CISA Actual Exam Questions

Add a Comment

Your email address will not be published. Required fields are marked *