2025年国际注册信息系统审计师（CISA）资格考试（英文版）综合能力测试题及答案

2025年国际注册信息系统审计师（CISA）资格考试（英文版）综合能力测试题及答案PartI–Multiple-Choice(SelecttheBESTanswer;1markeach)1.Duringapost-implementationreviewofanERPpayrollmodule,anISauditornotesthattheovertimecalculationrulewaschangedthreeweeksaftergo-livewithoutdocumentation.WhichfindingisMOSTconcerning?A.Thechangewasnottestedinthequalityassuranceenvironment.B.ThechangewasapprovedbytheHRdirectorinsteadoftheprocessowner.C.Thechangewasmigratedthroughtheemergencychangeprocedure.D.Thechangeproduceda0.8%varianceinthemonthlysalaryaccrual.Answer:AExplanation:EmergencychangesstillrequireQAtestingcommensuratewithrisk.Theabsenceofanytestingexposestheorganisationtomaterialmisstatementinpayrollandpossibleregulatorynon-compliance.Theotherchoicesaresecondary:approvalbyHRdirector(B)isweakgovernancebutnotnecessarilyineffective;emergencyprocedure(C)ispermissibleifjustified;0.8%variance(D)isimmaterialinmostjurisdictions.2.Anorganisationusesacloud-hosteddatalakeencryptedwithAES-256.TheCISOstatesthat“encryptionatresteliminatestheneedfortokenisation.”TheISauditorshouldrespondthat:A.TokenisationisredundantwhenAES-256isimplemented.B.Tokenisationaddressesdataresidencyrequirementsencryptioncannot.C.Tokenisationreduceskey-managementcomplexity.D.Tokenisationisonlyrelevantforstructuredrelationaldata.Answer:BExplanation:Tokenisationsubstitutessensitivedataelementswithnon-exploitableequivalents,enablingworkloadstoresideinjurisdictionswithstrictdata-sovereigntyrules.Encryptionatrestdoesnotchangethephysicallocationorlegalclassificationofdata.3.WhichofthefollowingBESTdemonstratesthatavulnerabilitymanagementprogrammeisrisk-basedratherthancompliance-driven?A.ScanfrequencyexceedsPCIDSSminimumrequirements.B.PatchesareprioritisedbyCVSSscoreweightedagainstassetcriticality.C.ThepatchSLAisdocumentedintheInformationSecurityPolicy.D.Unpatchedsystemsarereportedtoseniormanagementquarterly.Answer:BExplanation:WeightingCVSSagainstassetcriticalityalignsremediationeffortwithprobablebusinessimpact,ahallmarkofrisk-basedprogrammes.ExceedingPCIfrequency(A)maystillbechecklist-driven;documentingSLAs(C)andreporting(D)aregovernanceartefacts,notevidenceofriskorientation.4.Afintechstart-upimplementsablockchainconsensusmechanismthatrequiresonly30%ofnodestoagreetovalidateatransaction.FromanISauditor’sperspective,thePRIMARYriskis:A.Forkingofthechain.B.51%attack.C.Doublespending.D.Collusionamongminoritynodes.Answer:DExplanation:A30%thresholdlowersthebarriertocollusion;maliciousactorscontrollingone-thirdofnodescanrewriterecenthistory.A51%attack(B)isimpossiblebydefinitionat30%,butminoritycollusion(D)issufficienttocompromiseintegrity.5.AnISauditorreviewingSOC2TypeIIreportsforaSaaSvendornotesthatthe“logicalaccess”controlexceptionrateincreasedfrom2%to12%year-over-year.TheFIRSTstepisto:A.Recommendcontracttermination.B.Validatewhetherthepopulationsizechanged.C.Requestacompensatingcontrolmatrix.D.Escalatetotheboardauditcommittee.Answer:BExplanation:Anapparentincreasemaybeastatisticalartefactifthesampleorpopulationexpanded.Understandingdenominatorchangesisessentialbeforeconcludingoncontroleffectiveness.6.WhichcontrolBESTmitigatestheriskof“deepfake”voicefraudinthecallcentre?A.CallbacktothenumberregisteredintheCRM.B.Voicebiometricauthentication.C.Knowledge-basedauthentication(KBA).D.Randomisedsecurityquestions.Answer:AExplanation:DeepfakeaudiodefeatsbiometricandKBAcontrols.Out-of-bandverificationusingapre-registeredcallbacknumberprovidesaseparatechannelresistanttosyntheticmedia.7.Duringapenetrationtest,theauditorobtainsareverseshellbyexploitinganunpatchedprintserver.TheprintserverissegmentedbyaVLANwithACLsdenyingany-to-anytraffic.WhichfindingshouldbereportedFIRST?A.TheVLANsegmentationisineffective.B.TheACLsaremisconfigured.C.Theprintserverlackshost-basedfirewallrules.D.Thepatchingprocessisimmature.Answer:DExplanation:Rootcauseistheunpatchedvulnerability;segmentation(A,B)andhostfirewall(C)arelayereddefencesbutdonotexcusetheabsenceoftimelypatching.8.Anorganisationadoptsa“zero-trust”networkarchitecture.WhichmetricBESTdemonstratesprogrammematurity?A.Percentageofuserswithmulti-factorauthentication(MFA).B.Meantimetodetect(MTTD)lateralmovement.C.Numberoffirewallrulesets.D.Ratioofencryptedvs.unencryptedeast-westtraffic.Answer:BExplanation:Zero-trustaimstominimiseimplicittrustzones.Detectinglateralmovementquicklyvalidatesthatmicro-segmentationandbehaviouralanalyticsarefunctioning.9.Adata-centre’sUPSsystemshows98%availabilityoverthelastyear,versustheSLAof99.9%.TheISauditorshould:A.ConcludethattheSLAistoostringent.B.Reviewthepreventivemaintenancelogs.C.RecommendredundantUPSunits.D.Recalculateavailabilityexcludingplannedmaintenancewindows.Answer:BExplanation:Maintenancelogsrevealwhetherdowntimewasscheduledorduetofailure;thisinformsrootcauseandappropriateremediation.Recalculating(D)maymaskoperationalissues.10.AnewAI-basedintrusiondetectionsystem(IDS)produces400alertsperday,with380beingfalsepositives.TheFIRSTgovernanceactionisto:A.Retrainthemodelwithaugmenteddata.B.AdjusttheBayesianthresholdtoreducesensitivity.C.Definealert-to-ticketconversionrules.D.Validatethebaselinelabellingquality.Answer:DExplanation:Garbage-in-garbage-out:iftraininglabelsareinaccurate,retraining(A)orthresholdtuning(B)willnothelp.Establishinglabelintegrityprecedesmodeladjustments.11.WhichofthefollowingistheMOSTreliableevidencethataransomwareincidentresponseplaniseffective?A.Theplanisupdatedannually.B.Table-topexercisesincludeexecutiveparticipation.C.Recoverytimeobjective(RTO)wasmetduringthelastrealincident.D.TheplanalignswithNISTSP800-61r2.Answer:CExplanation:ActualperformanceagainstRTOprovidesempiricalevidence;alignment(D)andexercises(B)arepreparatory,whileannualupdates(A)areadministrative.12.AnISauditorreviewingcontainersecurityfindsthattheDevOpspipelinescansimagesforCVEsonlyatbuildtime.TheGREATESTriskis:A.ImagesmaydriftasnewCVEsarepublished.B.Thescanslowspipelinevelocity.C.BaseimagesarepulledfromDockerHub.D.Secretscouldbeembeddedinlayers.Answer:AExplanation:Vulnerabilitydatabasesevolvedaily;aone-timescancannotdetectnewlydisclosedCVEsinalready-deployedimages.Runtimeorregistryre-scanningisessential.13.Acompany’sBring-Your-Own-Device(BYOD)policyrequiresemployeestobackuppersonaldevicestothecorporatecloud.ThePRIMARYprivacyconcernis:A.Comminglingofcorporateandpersonaldata.B.Increasedbandwidthusage.C.Inabilitytoenforcegeolocationwiping.D.Potentialformalwareupload.Answer:AExplanation:Comminglingcomplicatesdata-classification,e-discovery,andsubject-accessrequests,creatingregulatoryexposure.Malware(D)isasecurityissue,notprivacy.14.WhichcontrolBESTensurestheintegrityofaroboticprocessautomation(RPA)botthatupdatescustomercreditlimits?A.Codesigningofbotscripts.B.Immutableauditlogofbotdecisions.C.Dual-authorityforlimitchanges.D.Hashtotalsreconciledpre-andpost-run.Answer:DExplanation:Hashtotals(e.g.,sumofcreditlimits)detectunauthorisedrecordmodifications,directlyvalidatingintegrity.Auditlogs(B)aredetectivebutnotpreventive.15.AnISauditorisaskedtoassesstheriskofquantumcomputingoncurrentcryptography.TheFIRSTstepisto:A.Inventorydataclassifiedasconfidentialwithretention>10years.B.Recommendadoptionoflattice-basedalgorithms.C.Performaquantumthreatmaturityassessment.D.Engageaquantum-safevendor.Answer:AExplanation:A10-yearinventoryidentifiesassetssusceptibleto“harvest-now-decrypt-later”attacks,prioritisingmigrationurgency.Vendorengagement(D)isprematurewithoutscoping.16.Duringanagilesprintretrospective,theproductownerrefusestologfindingsintheissuetracker,claiming“retrospectivesareinformal.”TheISauditorshould:A.EscalatetotheScrumMaster.B.Documentthelackofaudittrail.C.Concludethatagileisincompatiblewithgovernance.D.Recommendrevertingtowaterfall.Answer:BExplanation:Governancerequiresevidence;absenceofdocumentationimpedesfutureauditsandcontinuousimprovement.Escalation(A)issecondarytorecordingthegap.17.AbankusesanAImodelforcreditscoring.Themodel’sfalse-negativerateincreasedfrom3%to7%afteradatadrift.WhichcontrolisMOSTeffectivetopreventinadvertentdiscrimination?A.Fairnessconstraintbakedintothelossfunction.B.Monthlydisparate-impacttesting.C.Explainabilitydashboardforloanofficers.D.Outcome-trackingbydemographicgroup.Answer:AExplanation:Embeddingfairnessconstraintsduringtraining(e.g.,equalisedodds)proactivelylimitsdiscriminatoryimpact.Post-hoctesting(B,D)isdetective;dashboards(C)areinformative.18.ASOCanalystdisablesasignaturetostopfalse-positivealerts,buttheactionisnotlogged.TheISauditor’sPRIMARYconcernis:A.Alertfatigue.B.Lackofchangeauthorisation.C.Potentialundetectedintrusions.D.Absenceoflogging.Answer:CExplanation:Disablingasignaturemayallowrealintrusionstopassunnoticed,creatingacontrolgap.Whilelogging(D)andauthorisation(B)areweak,theultimateriskismisseddetection.19.WhichtestBESTconfirmsthatdatabaseencryptionkeysareproperlysegregatedfromthedatatheyprotect?A.ReviewHSMauditlogsforkeyusage.B.Verifykeyrotationfrequency.C.ConfirmseparationofdutiesbetweenDBAsandsecurityofficers.D.Validatethatkeysarenotexportedtothesamevolumegroup.Answer:DExplanation:Physicalorlogicalseparationofkeysandciphertextisfundamental.Exporttothesamevolume(D)negatessegregation,whereasusagelogs(A)androtation(B)areancillary.20.Anorganisation’sincidentresponseteamusesasharedGmailaccountforcoordination.TheGREATESTriskis:A.Lackofencryption.B.Nodata-lossprevention(DLP).C.Absenceofmulti-factorauthentication.D.Potentialaccountlockoutduetopasswordreuse.Answer:CExplanation:SharedcredentialsprecludeMFA,exposingthemailboxtotakeoverandlossofforensicevidence.DLP(B)andencryption(A)aresecondarytoauthentication.21.AmanufacturerdeploysIndustrialInternetofThings(IIoT)sensorsontheshopfloor.TheISauditornotesthatfirmwareupdatesarepushedviaunencryptedHTTP.TheBESTrecommendationisto:A.SegmenttheOTnetwork.B.Implementcodesigning.C.UseencryptedOTAchannels.D.DisableunusedUARTports.Answer:CExplanation:Encryptingover-the-air(OTA)updatespreventsman-in-the-middleinjectionofmaliciousfirmware.Segmentation(A)limitsblastradiusbutdoesnotsecuretheupdateitself.22.Acompany’sprivacynoticestatesitwill“retainpersonaldatanolongerthannecessary.”Toprovideauditassurance,theISauditorshould:A.InterviewtheDPO.B.Inspectdata-deletionschedulesandevidence.C.Reviewtheretentionclauseintheemployeehandbook.D.Confirmbackup-tapeencryption.Answer:BExplanation:Deletionschedulesandlogsfurnishobjectiveevidenceofcompliancewiththestatedprinciple.Interviews(A)arecorroborativebutnotsufficient.23.WhichofthefollowingistheMOSTmeaningfulindicatorthatsecurityawarenesstrainingreducesphishingsusceptibility?A.95%ofstaffcompletedtraining.B.Phish-pronepercentagedroppedfrom18%to4%.C.Trainingcontentwasupdatedwithnewtemplates.D.Averagetrainingtimeincreasedto45minutes.Answer:BExplanation:Behaviouraloutcome(reducedclickrate)directlymeasureseffectiveness.Completionrate(A)andduration(D)areinputmetrics.24.AnISauditorreviewingopen-sourcesoftware(OSS)governancefindsthatdevelopersareallowedtodownloadanylibraryfromMavenCentral.ThePRIMARYcontrolgapis:A.Licensecompliance.B.Typosquattingrisk.C.Lackofchecksumverification.D.Dependencyconfusionattack.Answer:DExplanation:Withoutinternalnamespacereservation,attackerscanpublishhigher-versionmaliciouspackagesthatdependencymanagerspreferentiallyfetch.License(A)andchecksums(C)aresecondary.25.Acitygovernmentstorescitizenvideoevidenceinapubliccloudobjectstore.WhichcontrolBESTensuresnon-repudiation?A.SSE-S3encryption.B.Write-Once-Read-Many(WORM)retention.C.SignedURLswithexpiry.D.CloudTrailobject-levellogging.Answer:BExplanation:WORM(e.g.,S3ObjectLockincompliancemode)preventsalterationordeletionbeforeretentionexpiry,supportingnon-repudiation.Logging(D)isdetective;encryption(A)protectsconfidentiality.PartII–Multiple-Response(SelectTWOcorrectanswers;2markseach)26.WhichTWOcontrolsMOSTeffectivelyreducetheriskoffraudulentACHtransfersinitiatedviacompromisedbankingcredentials?A.IP-whitelistingforcorporatenetbanking.B.Out-of-bandtransactionsigningusingamobileapp.C.Dailyreconciliationbytreasury.D.Machine-learninganomalydetectionontransferamounts.E.HardwaretokenOTPatlogin.Answers:B,DExplanation:Out-of-bandsigning(B)preventsunauthorisedpaymentfilesevenifcredentialsarephished.MLanomalydetection(D)flagssuspiciouspatternsinrealtime.IP-whitelisting(A)isbrittleforremotework;reconciliation(C)isdetectivepost-factum;OTP(E)protectsloginbutnotsessionhijacks.27.AnorganisationismigratingSAPtoAWS.WhichTWOdesignchoicesBESTsupportevidencepreservationforfutureforensicinvestigations?A.EnableVPCTrafficMirroringtoadedicatedforensicVPC.B.StoreOS-levellogsinCloudWatchwith365-dayretention.C.Useinstancestorefor/var/logtoreduceEBScost.D.ActivateAWSConfigwithrecordingofallresourcechanges.E.DisableSELinuxtoimprovecompatibility.Answers:A,DExplanation:TrafficMirroring(A)capturesfullpacketdata;Config(D)recordsAPI-levelchanges.CloudWatch(B)lacksfullpacketcaptureand365-dayretentionisexpensive.Instancestore(C)isephemeral;disablingSELinux(E)weakenssecurity.28.Ahealth-techstart-upprocessesgeneticdata.WhichTWOcontractualclausesareMOSTcriticalwhenoutsourcinganalyticstoathird-partyAIplatform?A.Righttoauditsub-processors.B.DataportabilityinCSVformat.C.GDPRArticle28processoragreement.D.IndemnityforIPinfringementbytheAImodel.E.Waiverofrighttoerasureforresearchexemption.Answers:A,CExplanation:Righttoaudit(A)ensurestransparencyoversub-processors;Art.28(C)mandatessecurityandconfidentialityprovisions.Dataportability(B)isuser-centric,notcoretooutsourcingrisk;IPindemnity(D)issecondary;waiver(E)isgenerallyunenforceableagainstdata-subjectrights.29.Azero-trustarchitectureprojectrequiresendpointpostureassessment.WhichTWOattributesMOSTreliablyindicateacompromiseddevice?A.Certificateexpirywithin30days.B.Presenceofunsignedkerneldrivers.C.MDM-reportedrooted/jailbrokenflag.D.Geo-locationmismatchfromHQ.E.CPUutilisation>90%.Answers:B,CExplanation:Unsigneddrivers(B)androotedflag(C)arestrongindicatorsofdeviceintegrityloss.Certificateexpiry(A)isadministrative;geo-mismatch(D)maybelegitimatetravel;highCPU(E)isambiguous.30.AretailerdeploysRFIDtagsforinventory.WhichTWOcontrolsBESTprotectcustomerprivacyintheeventoftagdataleakage?A.Killcommandafterpoint-of-sale.B.PseudonymousEPCcodes.C.256-bitAESencryptionontag.D.Faraday-cageshoppingbags.E.Rotatingtagpasswords.Answers:A,BExplanation:Killcommand(A)preventstrackingpost-sale;pseudonymousEPCs(B)avoidlinkingtopersonaldata.AES(C)isofteninfeasibleonpassivetags;Faradaybags(D)areuser-dependent;passwordrotation(E)doesnotremovedata.PartIII–Scenario-BasedShortAnswer(5markseach)31.ScenarioAmultinationalbankoperatesalegacymainframeforcorebankinginterfacedwithamodernAPIgateway.DuringaCOBIT-basedaudit,managementassertsthat“mainframeriskislowbecauseitisnotinternet-facing.”Theauditordiscoversthat:•TheAPIgatewayacceptsSOAPrequestsoverHTTPSandtranslatesthemintonativemainframetransactions.•Thegatewaystoresmainframecredentialsinacleartextconfigurationfile.•Mainframepasswordrulesallow6-characteralphabeticstrings.•NomainframeauditlogsareforwardedtotheSIEM.Requireda.IdentifyTHREEsignificantriskimplications.b.ProvideTWOpracticalremediationstepsforeachrisk.Answera.Riskimplications1.Credentialtheftviagatewaycompromiseleadstounrestrictedmainframeaccess.2.Weakpasswordsfacilitatebrute-forceattacksoncethegatewayisbypassed.3.LackofSIEMvisibilitydelaysdetectionofmaliciousmainframeactivity.b.Remediation1.EncryptgatewaycredentialsusinganHSM-backedvault;enforceannualrotationandrestrictsourceIPsviamTLS.2.Implement12-charactercomplexpasswordsandmainframe-basedMFA(e.g.,RACFPassTicket);deploybrute-forcemonitoring.3.EnableSMFlogforwardingthroughasecuresyslogproxy;parsetransactionsinrealtimeforanomalouspatterns(e.g.,high-valuebatchjobsoutsidemaintenancewindows).32.ScenarioAcity’ssmart-metroprojectusesIoTsensorstoadjusttrainfrequency.ThecontrolcentrereceivesdataviaMQTToverpublic4G.Anattackerpublishesspoofed“crowddensity”messages,causingtrainstoskipstations.Requireda.StateTWOcontrolfailuresthatallowedtheattack.b.Recommendadefence-in-depthstrategywithTHREElayers.Answera.Controlfailures1.NoMQTTbrokerauthentication(anonymouspublish).2.Lackofpayloadintegritychecks(nodigitalsignatureorTLSclientcerts).b.Defence-in-depth1.MutualTLSwithclientcertificatesissuedbyaprivateCA;brokerACLsrestrictpublishrightstosensorserialnumbers.2.JSONWebTokenssignedbysensors’secureelement,verifiedatthebrokerandagainattheSCADAapplication.3.Anomalydetectiononthecontrol-centresidecomparingsensordatawithhistoricalCCTVfootfallandticket-gatecounts;automaticfailovertotimetablemodeifvariance>15%.PartIV–CaseStudy(15marks)33.CaseFinCloudLtd.,afast-growingfintech,offersamicro-loanappprocessing50kapplicationsdaily.Thearchitectureisserverless:•Front-end:ReactNativemobileapp.•API:AWSAPIGateway→AWSLambda(Python)→DynamoDB.•Creditdecision:Lambdacallsathird-partyMLscorecardviaREST.•Storage:DynamoDBencryptedwithAWS-ownedkeys;S3bucketforselfiephotosencryptedwithSSE-S3.•CI/CD:GitHubActionsbuildsanddeploysviaTerraform;nomanualapprovals.•Monitoring:CloudWatchlogsretained30days.AuditfindingsexcerptF1.TheTerraformstatefileisstoredinanS3bucketwithversioningbutnoMFAdeleteandpubliclylistable.F2.LambdafunctionsrunwithfullAWS-managedPowerUseraccess.F3.TheMLscorecardproviderretainsapplicantdatafor“modelimprovement”withvagueconsentlanguage.F4.CloudWatchlogsarenotanalysed;alertsarebasedon5xxerrorspikesonly.F5.Pen-testingrevealedanIDORvulnerabilityallowingoneusertoretrieveanother’sloanstatusbyincrementingapplication_id.Tasksa.Foreachfinding,classifytherisktype(confidentiality,integrity,availability,privacy,compliance)andjustifyinonesentence.(5marks)b.Provideadetailedremediationroadmap,includingspecificAWSservicesoropen-sourcetools,timelines,andsuccessmetrics.(10marks)Answera.RiskclassificationF1:Confidentiality—publicS3listingexposesTerraformkeysandinfrastructuredesign.F2:Integrity—over-permissiveLambdarolesallowtamperingwithDynamoDBorS3objects.F3:Privacy—unclearconsentviolatesGDPRpurposelimitationand