Information Systems Operations and Business Resilience for CISA

Sample Practice Questions

1. Question 1

   Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?
   1. A. The BCP has not been tested since it was first issued.
   2. B. The BCP is not version-controlled.
   3. C. The BCP's contact information needs to be updated.
   4. D. The BCP has not been approved by senior management.
   Explanation

   The correct answer is: D. The BCP has not been approved by senior management..

   The greatest concern is that the BCP has not been approved by senior management because without that approval the plan lacks the authority, resourcing, and accountability necessary for execution during a real disruption. CISA and ISO 22301 place senior-management approval at the top of BCP governance because the plan commits resources, defines decision authority, and assigns recovery responsibilities that only top management can sanction. The BCP not being tested since first issued is a serious gap but secondary to lack of approval. Missing version control is a configuration-management problem rather than a fundamental governance failure. Outdated contact information is operationally important but tactically fixable; unsigned governance by senior management is the controlling concern because no other element of BCP maintenance compensates for the absence of executive ownership.

2. Question 2

   Which of the following would be MOST useful when analyzing computer performance?
   1. A. Tuning of system software to optimize resource usage
   2. B. Operations report of user dissatisfaction with response time
   3. C. Statistical metrics measuring capacity utilization
   4. D. Report of off-peak utilization and response time
   Explanation

   The correct answer is: C. Statistical metrics measuring capacity utilization.

   The most useful information when analyzing computer performance is statistical metrics measuring capacity utilization because objective utilization statistics provide the quantitative basis for performance analysis across time, components, and workloads. CISA evidence approach favors objective measured data for performance analysis. Tuning of system software is a remediation activity rather than an analytical input. User dissatisfaction reports are subjective and lagging. Off-peak utilization and response-time reports cover only one operating regime; capacity-utilization statistics are the controlling analytical input because they provide the comprehensive quantitative basis the analysis requires.

3. Question 3

   Which of the following is the GREATEST risk if two users have concurrent access to the same database record?
   1. A. Entity integrity
   2. B. Availability integrity
   3. C. Referential integrity
   4. D. Data integrity
   Explanation

   The correct answer is: D. Data integrity.

   The greatest risk when two users have concurrent access to the same database record is data integrity because simultaneous updates without proper concurrency control can produce lost updates, inconsistent reads, and write-skew anomalies that corrupt the data. CISA and database-concurrency practice align concurrent-access risk with data integrity as the principal exposure. Entity integrity refers to primary-key correctness, which is unrelated. Availability integrity is not a standard term. Referential integrity addresses foreign-key relationships rather than concurrent updates; data integrity is the controlling risk because concurrency conflicts directly produce integrity failures that downstream operations propagate.

4. Question 4

   Which of the following BEST indicates that an incident management process is effective?
   1. A. Decreased number of calls to the help desk
   2. B. Increased number of incidents reviewed by IT management
   3. C. Decreased time for incident resolution
   4. D. Increased number of reported critical incidents
   Explanation

   The correct answer is: C. Decreased time for incident resolution.

   The best indication that an incident management process is effective is decreased time for incident resolution because the principal purpose of incident management is to restore service quickly, and resolution-time reduction is the direct measure of that outcome. CISA and ITIL 4 align incident-management effectiveness with resolution-time metrics as the principal indicator. Decreased calls to the help desk may reflect either improvement or lower demand. Increased IT-management review of incidents indicates governance activity but not handling effectiveness. Increased number of reported critical incidents may indicate worsening rather than better handling; resolution-time reduction is the controlling effectiveness measure.

5. Question 5

   Which of the following data would be used when performing a business impact analysis (BIA)?
   1. A. Projected impact of current business on future business
   2. B. Expected costs for recovering the business
   3. C. Cost of regulatory compliance
   4. D. Cost-benefit analysis of running the current business
   Explanation

   The correct answer is: B. Expected costs for recovering the business.

   The data used during a BIA includes expected costs for recovering the business because cost-of-recovery is one of the key impact dimensions a BIA quantifies along with revenue loss, regulatory penalty, and reputational harm. CISA and ISO 22301 align BIA data needs with the impact-quantification objective. Projected impact of current business on future business is a strategic-planning concept rather than a BIA input. Cost of regulatory compliance is a steady-state cost rather than a disruption-impact cost. Cost-benefit analysis of running the current business is a different financial analysis; expected recovery cost is the impact-relevant data element the BIA needs to produce credible recovery cost estimates.

Other CISA domains

• Governance and Management of IT (293 questions)
• Information System Auditing Process (318 questions)
• Information Systems Acquisition, Development and Implementation (276 questions)
• Protection of Information Assets (576 questions)