CISA Self-Assessment

The CISA certification was developed to assess an individual's information system assurance experience specific to information security situations. Earning the CISA designation distinguishes you as a qualified information systems assurance and control professional with experience and knowledge assessing information security policies, procedures and controls implemented by an enterprise.

ISACA has prepared the CISA self-assessment to help CISA exam candidates assess their knowledge of the CISA job practice areas and determine in which areas they may have strengths and weaknesses. This self-assessment contains 50 sample items covering the appropriate proportion of subject matter to match the CISA exam blueprint. The items are not actual CISA exam items, but are items developed by subject matter experts in compliance with the CISA item writing guidelines and are meant to provide the exam taker with a sample of what the type of questions that might appear on the exam. Note that this self-assessment is not a substitute for the actual exam, nor does the result of the self-assessment test guarantee or indicate future individual success. For additional exam detail coverage, review each area's task and knowledge statements.

This 50 question self-assessment is one of many tools that you can use to help prepare for the CISA exam.

Enter your name below so it displays on the quiz results page:


1. A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live?

2. An organization’s IT director has approved the installation of a wireless local area network (WLAN) access point in a conference room for a team of consultants to access the Internet with their laptop computers. The BEST control to protect the corporate servers from unauthorized access is to ensure that:

3. An IS auditor discovers that devices connected to the network have not been included in a network diagram that had been used to develop the scope of the audit. The chief information officer (CIO) explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST:

4. In a small organization, developers may release emergency changes directly to production. Which of the following will BEST control the risk in this situation?

5. While reviewing the IT infrastructure, an IS auditor notices that storage resources are continuously being added. The IS auditor should:

6. During a compliance audit of a small bank, the IS auditor notes that both the IT and accounting functions are being performed by the same user of the financial system. Which of the following reviews conducted by the user's supervisor would represent the BEST compensating control?

7. From a control perspective, the PRIMARY objective of classifying information assets is to:

8. To aid management in achieving IT and business alignment, an IS auditor should recommend the use of:

9. When conducting an IT security risk assessment, the IS auditor asked the IT security officer to participate in a risk identification workshop with users and business unit representatives. What is the MOST important recommendation that the IS auditor should make to obtain successful results and avoid future conflicts?

10. Which of the following BEST describes the objective of an IS auditor discussing the audit findings with the auditee?

11. When reviewing IS strategies, an IS auditor can BEST assess whether IS strategy supports the organizations' business objectives by determining whether IS:

12. Which of the following system and data conversion strategies provides the GREATEST redundancy?

13. Which of the following antispam filtering techniques would BEST prevent a valid, variable-length email message containing a heavily-weighted spam keyword from being labeled as spam?

14. The PRIMARY reason an IS auditor performs a functional walkthrough during the preliminary phase of an audit assignment is to:

15. An IS auditor discovers that the chief information officer (CIO) of an organization is using a wireless broadband modem utilizing global system for mobile communications (GSM) technology. This modem is being used to connect the CIO's laptop to the corporate virtual private network (VPN) when the CIO travels outside of the office. The IS auditor should:

16. Which of the following is the BEST way for an IS auditor to determine the effectiveness of a security awareness and training program?

17. After the merger of two organizations, multiple self-developed legacy applications from both companies are to be replaced by a new common platform. Which of the following would be the GREATEST risk?

18. An IS auditor discovers that some hard drives disposed of by an enterprise were not sanitized in a manner that would reasonably ensure the data could not be recovered. In addition, the enterprise does not have a written policy on data disposal. The IS auditor should FIRST:

19. During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely:

20. An IS auditor is testing employee access to a large financial system, and the IS auditor selected a sample from the current employee list provided by the auditee. Which of the following evidence is the MOST reliable to support the testing?

21. An IS auditor should recommend the use of library control software to provide reasonable assurance that:

22. By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that:

23. Which of the following would be an indicator of the effectiveness of a computer security incident response team?

24. To ensure an organization is complying with privacy requirements, an IS auditor should FIRST review:

25. An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the bank’s financial risk is properly addressed, the IS auditor will most likely review which of the following?

26. Which of the following is the GREATEST risk to the effectiveness of application system controls?

27. Which of the following is the MOST effective control for restricting access to unauthorized Internet sites in an organization?

28. If a database is restored using before-image dumps, where should the process begin following an interruption?

29. Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should:

30. An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend?

31. Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider:

32. At the completion of a system development project, a postproject review should include which of the following?

33. To determine if unauthorized changes have been made to production code the BEST audit procedure is to:

34. Which of the following is an implementation risk within the process of decision support systems (DSSs)?

35. Which of the following is the BEST way to satisfy a two-factor user authentication?

36. During an audit, an IS auditor notes that an organization's business continuity plan (BCP) does not adequately address information confidentiality during a recovery process. The IS auditor should recommend that the plan be modified to include:

37. Which of the following is the MOST effective method for dealing with the spreading of a network worm that exploits vulnerability in a protocol?

38. An IS auditor should use statistical sampling and not judgmental (nonstatistical) sampling, when:

39. During the system testing phase of an application development project the IS auditor should review the:

40. After reviewing its business processes, a large organization is deploying a new web application based on a Voice-over IP (VoIP) technology. Which of the following is the MOST appropriate approach for implementing access control that will facilitate security management of the VoIP web application?

41. To optimize an organization's business contingency plan (BCP), an IS auditor should recommend conducting a business impact analysis (BIA) in order to determine:

42. An audit charter should:

43. The PRIMARY purpose of an IT forensic audit is:

44. The PRIMARY objective of performing a postincident review is that it presents an opportunity to:

45. When reviewing the procedures for the disposal of computers, which of the following should be the GREATEST concern for the IS auditor?

46. Which of the following is a characteristic of timebox management?

47. A project manager of a project that is scheduled to take 18 months to complete announces that the project is in a healthy financial position because, after six months, only one-sixth of the budget has been spent. The IS auditor should FIRST determine:

48. Which control is the BEST way to ensure that the data in a file have not been changed during transmission?

49. An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing?:

50. The GREATEST advantage of using web services for the exchange of information between two systems is: