





















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This exam covers cloud architecture, IAM configuration, encryption, multi-cloud security, container security, serverless risks, compliance requirements, and monitoring strategies. Candidates solve real-world challenges involving misconfigurations, privilege escalation, cloud attacks, and security automation through CI/CD pipelines.
Typology: Exams
1 / 93
This page cannot be seen from the preview
Don't miss anything!






















































































Question 1. Which ISACA standard defines the responsibilities of an auditor when communicating audit findings? A) Performance Standard 2100 B) General Standard 1100 C) Reporting Standard 2500 D) Quality Assurance Standard 3000 Answer: C Explanation: Reporting Standard 2500 specifies the form and content of audit reports, including how findings are communicated to management and stakeholders. Question 2. In the ISACA Code of Professional Ethics, which principle requires auditors to avoid conflicts of interest? A) Integrity B) Objectivity C) Confidentiality D) Professional competence Answer: B Explanation: The principle of Objectivity mandates that auditors remain unbiased and avoid situations where personal interests could compromise professional judgment. Question 3. What is the primary purpose of due professional care in an IS audit? A) To reduce audit scope B) To ensure auditors work efficiently C) To exercise prudence and diligence in audit activities D) To delegate responsibilities to junior staff Answer: C
Explanation: Due professional care obligates auditors to apply thoroughness, skill, and judgment to achieve reliable audit results. Question 4. Which risk assessment method uses a scoring matrix that combines likelihood and impact? A) Monte Carlo simulation B) Qualitative risk assessment C) Quantitative risk assessment D) Decision tree analysis Answer: B Explanation: Qualitative risk assessments often employ a likelihood-impact matrix to prioritize risks without precise numerical values. Question 5. A risk-based audit strategy is most closely aligned with which of the following? A) Random sampling of all systems B) Auditing only high-value assets C) Aligning audit priorities with the organization’s risk profile D) Performing audits on a fixed annual schedule Answer: C Explanation: A risk-based strategy selects audit subjects based on the organization’s identified risk exposure, ensuring resources target the most critical areas. Question 6. The “audit universe” refers to: A) The set of all audit standards worldwide B) The collection of all IT assets and processes that could be audited C) The pool of external auditors available to an organization
B) Defining audit objectives, timelines, and resource allocation C) Developing new encryption algorithms D) Performing user training on password policies Answer: B Explanation: Audit program management involves planning the audit, setting objectives, scheduling tasks, and assigning resources. Question 10. Which audit evidence collection technique relies on direct observation of a process in real time? A) Inquiry B) Inspection C) Observation D) Confirmation Answer: C Explanation: Observation involves watching a process as it occurs, providing firsthand evidence of controls and procedures. Question 11. When using statistical sampling, the “confidence level” indicates: A) The probability that the sample is free from bias B) The proportion of the population that will be audited C) The degree of certainty that the true population characteristic lies within the interval D) The number of errors the auditor expects to find Answer: C Explanation: Confidence level reflects how sure the auditor can be that the true population value falls within the calculated confidence interval. Question 12. Computer-Assisted Audit Techniques (CAATs) are most useful for:
A) Conducting physical inventory counts B) Analyzing large data sets to identify anomalies C. Designing network topologies D. Writing policy documents Answer: B Explanation: CAATs automate data extraction and analysis, enabling auditors to examine massive data volumes efficiently. Question 13. Which reporting element should include the auditor’s opinion on the adequacy of internal controls? A) Executive summary B) Management response C) Findings and recommendations D. Auditor’s conclusion Answer: D Explanation: The auditor’s conclusion (or opinion) summarizes the overall assessment, including judgments about internal control adequacy. Question 14. A quality assurance and improvement program (QAIP) for an IS audit function primarily aims to: A) Increase the number of audits performed annually B) Ensure audit work complies with professional standards and continuously improves C. Reduce audit fees for clients D. Automate all audit procedures Answer: B Explanation: QAIP monitors compliance with standards and implements enhancements to audit processes and outcomes.
Explanation: Enterprise architecture and strategic planning documents demonstrate how IT initiatives support and enable business objectives. Question 18. Which governance framework is specifically oriented toward service management and operational best practices? A. COBIT B. ITIL C. ISO/IEC 27001 D. NIST CSF Answer: B Explanation: ITIL focuses on IT service management processes such as incident, problem, and change management. Question 19. Under GDPR, which principle requires organizations to limit personal data collection to what is necessary for the intended purpose? A. Accuracy B. Integrity C. Data minimization D. Accountability Answer: C Explanation: Data minimization mandates that only data essential to achieve the processing purpose be collected and retained. Question 20. A key performance indicator (KPI) for IT service availability would most likely be expressed as: A. Number of tickets resolved per technician B. Mean time between failures (MTBF) C. Percentage of budget spent on hardware
D. Number of user training sessions completed Answer: B Explanation: MTBF measures the average time between system failures, directly reflecting service availability. Question 21. When auditing a cloud service provider contract, which clause is most critical for ensuring data confidentiality? A. Service Level Agreement (SLA) response time B. Data encryption and key management requirements C. Termination notice period D. Pricing schedule Answer: B Explanation: Encryption and key management clauses define how data is protected in transit and at rest, safeguarding confidentiality. Question 22. Data classification policies typically define all of the following EXCEPT: A. Ownership responsibilities B. Required backup frequency C. Access control levels based on sensitivity D. Retention periods for each classification Answer: B Explanation: While classification influences access and retention, backup frequency is generally dictated by recovery objectives, not classification alone. Question 23. In an Agile development environment, which control is most appropriate for ensuring security requirements are addressed continuously? A. Conducting a single comprehensive security test at project end
Question 26. Which testing technique is best suited for verifying that a financial application correctly calculates tax amounts for all possible tax codes? A. Substantive testing with random sampling B. Compliance testing of access controls C. Exhaustive data-driven testing (full data set) D. Walkthrough of the calculation algorithm Answer: C Explanation: Exhaustive data-driven testing runs the application against the entire set of tax codes to ensure accurate calculations for each case. Question 27. In change management, an “emergency change” typically requires: A. Full change advisory board (CAB) approval before implementation B. Documentation after the change is applied, with post-implementation review C. No documentation or testing D. Automatic rollback if any issue arises Answer: B Explanation: Emergency changes are fast-tracked but still require post-implementation documentation and review to maintain control integrity. Question 28. Patch management best practice dictates that critical security patches should be applied within: A. 30 days of release B. 90 days of release C. 7 days of release D. 180 days of release Answer: C
Explanation: Industry standards (e.g., NIST) recommend applying critical security patches within a week to reduce exposure. Question 29. Which metric is most relevant for evaluating capacity management of a web application? A. Number of user accounts created per month B. Average CPU utilization during peak load C. Total number of software licenses purchased D. Frequency of password changes Answer: B Explanation: CPU utilization during peak periods indicates whether the system has sufficient processing capacity to meet demand. Question 30. The primary purpose of operational log management is to: A. Archive all data for future reference B. Provide evidence for forensic investigations and support incident response C. Replace the need for backups D. Generate financial reports Answer: B Explanation: Logs capture system activity, enabling detection, investigation, and remediation of security incidents. Question 31. A Business Impact Analysis (BIA) helps an organization to: A. Choose a cloud provider B. Prioritize critical business functions and define recovery time objectives (RTOs) C. Develop marketing strategies D. Conduct employee performance reviews
D. A remote backup of all applications in the cloud Answer: C Explanation: A cold site provides ready-to-install hardware and infrastructure but lacks up-to-date data or configurations. Question 35. Which of the following is a key element of a post-implementation review (PIR)? A. Verification that the project stayed within the original budget only B. Assessment of whether the system meets its intended objectives and delivers expected benefits C. Documentation of all code libraries used D. Evaluation of the vendor’s marketing materials Answer: B Explanation: PIR evaluates if the project achieved its goals, delivered value, and if controls are operating as intended. Question 36. When auditing a database, the “least privilege” principle requires that users be granted: A. All permissions needed for any future task B. Only the permissions necessary to perform their job functions C. Administrator rights by default D. No permissions until a request is made Answer: B Explanation: Least privilege minimizes risk by limiting user rights to the minimum required for their duties. Question 37. Which type of control testing focuses on confirming that a control is operating as designed over a period of time? A. Substantive testing
B. Continuous monitoring C. Walkthrough D. Reperformance Answer: B Explanation: Continuous monitoring tests controls on an ongoing basis, providing evidence of consistent operation. Question 38. In the context of IT governance, “enterprise risk management” (ERM) is primarily concerned with: A. Managing only IT-related risks B. Integrating IT risk considerations into the organization’s overall risk framework C. Outsourcing all risk activities to a third party D. Eliminating all risk through strict controls Answer: B Explanation: ERM ensures that IT risks are considered alongside other business risks within a unified risk management process. **Question 39. Which of the following is a typical output of a risk-based audit plan? ** A. A list of all hardware assets in the data center B. A schedule of audit engagements prioritized by risk rating C. A detailed network topology diagram D. A set of user manuals for all applications Answer: B Explanation: A risk-based audit plan ranks audit subjects by risk, producing a prioritized schedule of engagements.
Explanation: Network segmentation and monitoring mitigate the risk of weaker authentication by limiting exposure and detecting suspicious activity. Question 43. In the context of ISO/IEC 27001, the “Statement of Applicability” (SoA) serves to: A. List all assets owned by the organization B. Identify which Annex A controls have been selected and why, including any exclusions C. Provide a risk assessment methodology D. Define the organization’s business continuity objectives Answer: B Explanation: The SoA documents the controls chosen from Annex A, justifies inclusions/exclusions, and demonstrates compliance. Question 44. Which of the following best describes a “detective” control in the context of network security? A. Firewall that blocks unauthorized traffic B. Intrusion detection system that generates alerts on suspicious packets C. Automated patch deployment that prevents vulnerabilities D. User training program on phishing awareness Answer: B Explanation: An intrusion detection system monitors traffic and alerts when anomalies are detected, serving as a detective control. Question 45. During a post-implementation review, an auditor discovers that the system’s actual ROI is 2% lower than projected. Which of the following is the most appropriate recommendation? A. Immediately decommission the system
B. Conduct a root-cause analysis to identify variance drivers and adjust future business case assumptions C. Increase the system’s user licenses to boost revenue D. Ignore the variance because it is within a 5% tolerance Answer: B Explanation: Understanding why ROI fell short helps refine estimation methods and improve future project evaluations. Question 46. Which of the following is a key objective of configuration management? A. Ensuring all changes are made without documentation B. Maintaining an accurate record of system settings to support consistency and traceability C. Eliminating the need for change management processes D. Automating user password resets Answer: B Explanation: Configuration management tracks and controls system configurations, providing a baseline for audits and troubleshooting. Question 47. In an ITIL Incident Management process, the “major incident” classification typically requires: A. No communication with stakeholders B. Immediate escalation to senior management and a dedicated response team C. Deferral until the next scheduled maintenance window D. Automatic ticket closure after 24 hours Answer: B Explanation: Major incidents demand rapid, high-visibility response and escalation to minimize business impact.
Explanation: Technical safeguards address electronic protections such as access controls, encryption, and audit logs for ePHI. Question 51. Which of the following audit sampling methods is most appropriate when the auditor wants to ensure that every high-value transaction is examined? A. Random sampling B. Judgmental (non-statistical) sampling C. Monetary unit sampling D. Systematic sampling Answer: C Explanation: Monetary unit sampling gives greater weight to larger transactions, increasing the likelihood they are selected. Question 52. In the context of IT asset management, “asset tagging” primarily serves to: A. Encrypt all data on the device B. Provide a unique identifier for tracking ownership, location, and lifecycle status C. Increase the device’s processing speed D. Automatically install software updates Answer: B Explanation: Asset tags enable organizations to monitor assets throughout acquisition, use, and disposal phases. Question 53. Which of the following is a typical deliverable of a Business Continuity Plan (BCP) test? A. A list of all software licenses purchased B. A report detailing test objectives, scenarios executed, results, and corrective actions C. The organization’s annual financial statements
D. A new network topology diagram Answer: B Explanation: BCP testing produces documentation of the test scope, outcomes, and any gaps that need remediation. Question 54. A “zero-trust” security model assumes that: A. All users inside the corporate network are trusted by default B. No user or device is trusted implicitly, and verification is required for every access request C. Only external users need to be authenticated D. Firewalls are no longer necessary Answer: B Explanation: Zero-trust requires continuous authentication and authorization, treating every request as potentially hostile. Question 55. Which of the following is a primary characteristic of a “digital signature”? A. It encrypts the entire document for confidentiality B. It provides non-repudiation by linking the signer’s private key to the signed data C. It is only used for PDF files D. It replaces all forms of authentication Answer: B Explanation: Digital signatures bind the signer’s identity to the content, ensuring integrity and non-repudiation. Question 56. In a risk register, the “risk owner” is responsible for: A. Funding the audit department B. Implementing and monitoring mitigation actions for the assigned risk