CertPrepNow
ISACACISA5 domains

CISA Exam Notes

Last-minute traps, must-know facts, and scenario tips for the ISACA Certified Information Systems Auditor exam.

General Exam Tips

  • 1.Read ALL four answer choices before selecting — the 'obviously correct' option is often a distractor designed for IT practitioners, not auditors
  • 2.When two answers seem right, ask: which one reflects what an IS AUDITOR does (evaluate/assess/recommend) vs what an IT admin does (implement/configure/fix)?
  • 3.Questions asking 'what should the auditor do FIRST' almost always want you to gather information or conduct a risk assessment — not take action
  • 4.The word 'PRIMARY' in a question means hierarchy — risk to independence, then risk to the organization, then operational concerns
  • 5.Pace yourself: 150 questions in 240 minutes = 96 seconds per question. Mark hard ones and return; do not stall
  • 6.There is no penalty for wrong answers — never leave a question blank
  • 7.Domains 4 and 5 together are 52% of the exam; treat them as the exam, and the other domains as supporting material
  • 8.If an answer option says the auditor should 'implement,' 'configure,' 'fix,' or 'deploy' anything — that option is almost certainly wrong
  • 9.When the scenario involves a third-party vendor, the answer usually involves reviewing contracts, right-to-audit clauses, or SOC reports — not direct technical testing
  • 10.ISACA's preferred answer prioritizes formal process and documentation over speed and pragmatism. In real life you might reboot the server first; in ISACA-world you assess the situation and follow the incident response plan first
Domain 118% of exam

Information Systems Auditing Process

Must-Know Facts

  • Audit charter must be approved by the AUDIT COMMITTEE or BOARD — not by IT management or the CIO
  • Risk-based audit planning: audit resources go to highest-risk areas; audit rotation schedules and management preferences are never the correct driver
  • ISACA ITAF three tiers: mandatory standards (must follow), guidelines (should follow), tools and techniques (may follow)
  • Evidence reliability ranking from highest to lowest: auditor re-performance > auditor direct observation > externally generated evidence > client-generated evidence > oral inquiry
  • Statistical sampling allows projection of results to the entire population with a measurable confidence level; judgmental sampling does NOT allow population projection
  • CAATs (Computer-Assisted Audit Techniques): generalized audit software, test data, integrated test facility (ITF), embedded audit modules, parallel simulation — each for specific scenarios
  • Four control types: preventive (stop it), detective (find it), corrective (fix it), compensating (alternative when primary is impractical)
  • Audit finding components: condition (what is), criteria (what should be), cause (why), effect (impact), recommendation (how to fix)
  • Materiality determines whether a finding is significant enough to report — a finding is material if it could influence the decisions of the report's users
  • Audit follow-up: the auditor must verify that management has implemented agreed-upon corrective actions within agreed timelines

Common Traps

TrapThe IT director approved the audit charter, so independence is assured
RealityThe audit charter MUST be approved by the audit committee or board, never by IT or any management area being audited. IT management approving the charter compromises auditor independence — this is the PRIMARY concern, not the age of the charter
TrapJudgmental (non-statistical) sampling is just as valid as statistical sampling for projecting findings to the population
RealityOnly statistical sampling allows you to project results to the entire population with a measurable confidence level. Judgmental sampling cannot be projected — results are limited to the sampled items only
TrapInquiry and interviews provide reliable evidence when performed with senior management
RealityInquiry is the LEAST reliable form of evidence regardless of who is asked. Auditors must corroborate inquiry with more reliable evidence types (re-performance, observation, documentation)
TrapThe integrated test facility (ITF) is the safest CAAT because it uses test data
RealityITF processes test data alongside LIVE production data, which risks contaminating production records. The specific risk is that test transactions mixed into production data can corrupt real results if not properly removed
TrapIf the error rate in a statistical sample is below the tolerable error rate, additional testing is needed to be thorough
RealityIf the sample error rate is below the tolerable error rate at the stated confidence level, the control IS operating effectively. Additional testing is not required unless there are other risk indicators. Over-testing wastes audit resources
TrapControl self-assessment (CSA) is a replacement for formal IS audit procedures
RealityCSA is a technique where management and staff assess their own controls, but it is NOT a substitute for independent IS audit. CSA supplements the audit — the auditor still independently validates CSA results

Confusing Pairs

Compliance TestingSubstantive Testing

Compliance testing verifies that CONTROLS are being followed (Are approvals documented? Is segregation of duties enforced?). Substantive testing verifies DATA accuracy (Are transactions correctly calculated? Are account balances accurate?). A system can pass substantive testing while failing compliance testing — accurate data produced by a process with absent controls is still an audit finding

Generalized Audit Software (GAS)Test Data Method

GAS reads and analyzes actual production data — best for large populations, data analytics, identifying exceptions. Test data method submits artificial transactions through the live system to see how it processes them — best for testing processing logic and input validation. GAS does not test the processing logic; test data does not analyze real transaction populations

Audit RiskInherent Risk

Inherent risk is the risk that exists BEFORE considering controls — the raw exposure from a threat exploiting a vulnerability. Audit risk is the risk that the auditor issues an incorrect opinion (e.g., concludes controls are effective when they are not). Audit risk has components: inherent risk x control risk x detection risk

Scenario Tips

If the question asks about:

When a question asks what an auditor should do FIRST upon beginning an IS audit engagement...

Answer:

Review the audit charter and confirm audit scope and authority. The auditor must first establish that they have authority, independence, and a clear scope before any fieldwork begins

Distractor to avoid:

Starting with interviews or system access reviews — these are fieldwork activities, not planning activities. Without a confirmed charter, the auditor lacks authority

If the question asks about:

When a question asks which CAAT to use to test whether all purchase orders above $10,000 have two approvals across 500,000 transactions...

Answer:

Generalized audit software (GAS) — it can query the entire population, apply the rule, and extract all exceptions. This is exactly what GAS is designed for: large-population data analysis with defined criteria

Distractor to avoid:

Test data or ITF — these test how the SYSTEM processes transactions, not whether existing historical transactions comply with a policy

If the question asks about:

When the question asks about the PRIMARY purpose of an audit charter...

Answer:

To formally establish the IS audit function's authority, objectives, scope, responsibilities, and independence. It is the foundational document authorizing the audit function to operate

Distractor to avoid:

Describing the audit methodology or providing an audit plan — those are engagement-level documents. The charter is the organizational-level authorization document

Last-Minute Facts

1ITAF = IT Audit Framework (ISACA's own professional standards)
2Three levels of ITAF guidance: 1=Standards (mandatory), 2=Guidelines (recommended), 3=Tools/Techniques (optional)
3Evidence reliability order: re-performance > observation > external docs > internal docs > inquiry
4Statistical sampling: results projectable to population. Judgmental sampling: NOT projectable
5ITF risk: test data mixed with live production data — contamination risk
6CSA = Control Self-Assessment — supplements audit, does NOT replace it
Domain 218% of exam

Governance and Management of IT

Must-Know Facts

  • Governance (board-level): set direction, evaluate performance, ensure alignment. Management (IT leadership): plan, build, run, monitor operations within the governance framework
  • COBIT governance domain = Evaluate, Direct, Monitor (EDM). COBIT management domains = APO, BAI, DSS, MEA
  • IT strategic plan must be DERIVED FROM the enterprise business plan — not developed independently by IT and then presented to management
  • The CIO should ideally report to the CEO or board — reporting to the CFO signals that IT is viewed as a cost center, not a strategic enabler, creating alignment risk
  • IT steering committee advises and prioritizes IT initiatives but does NOT make day-to-day operational decisions — that is management's role
  • IT balanced scorecard (BSC) measures IT performance across four perspectives: financial, customer, internal process, and learning/growth
  • IT policies (what to do), standards (minimum required levels of implementation), and procedures (step-by-step how to) form a hierarchy — auditors verify all three exist and are enforced
  • Benefits realization: IT investment decisions require a business case; post-implementation, management must measure and report whether expected benefits were achieved
  • Enterprise architecture frameworks (TOGAF, Zachman) align IT infrastructure and systems with business strategy — auditors evaluate whether EA supports business objectives
  • Quality management: CMMI maturity levels (1=Initial, 2=Managed, 3=Defined, 4=Quantitatively Managed, 5=Optimizing) used to assess process maturity

Common Traps

TrapThe IT steering committee is responsible for IT governance and approves the IT strategy
RealityGovernance responsibility sits with the BOARD and senior management, not the IT steering committee. The steering committee is an advisory body that prioritizes IT investments and monitors progress — it reports to the board, it does not replace board-level governance responsibility
TrapThe CIO reporting to the CFO is an efficient structure because IT budgets are large financial decisions
RealityCIO reporting to the CFO subordinates IT strategy to financial priorities. The PRIMARY RISK is that IT decisions will be driven by cost reduction rather than strategic value. This structure indicates a governance weakness, not efficiency
TrapCOBIT is used to implement IT security controls similar to ISO 27001
RealityCOBIT is a governance and management framework — it provides a structure for IT governance, not a catalog of security controls. ISO 27001 and NIST SP 800-53 are control frameworks. COBIT tells you WHAT governance and management processes to have; it does not specify HOW to implement technical security controls
TrapIT management developing the IT strategy independently ensures it is technically sound
RealityThe IT strategy must be co-developed with business stakeholders to ensure alignment with business objectives. A technically sound IT strategy that does not support business goals is an audit finding. The correct answer is to involve business stakeholders and align IT strategy to the enterprise business plan

Confusing Pairs

IT GovernanceIT Management

Governance = board and senior management setting direction, evaluating outcomes, monitoring compliance. Management = CIO and IT leaders planning, building, running, and monitoring operations. Governance asks 'Are we doing the right things?' Management asks 'Are we doing things right?' In COBIT: Governance=EDM (Evaluate, Direct, Monitor); Management=APO+BAI+DSS+MEA

IT PolicyIT StandardIT Procedure

Policy = management directive stating WHAT must be achieved (e.g., 'All data must be encrypted at rest'). Standard = specific requirements for HOW MUCH or WHAT LEVEL (e.g., 'AES-256 encryption must be used'). Procedure = step-by-step HOW to implement (e.g., 'To encrypt a database: step 1, step 2...'). Missing any tier is an audit finding even if the others exist

Key Goal Indicator (KGI)Key Performance Indicator (KPI)

KGI measures whether business goals were achieved — outcomes, end results (lagging indicator). KPI measures the performance of processes to predict whether goals will be achieved — activities and throughput (leading indicator). KGIs tell you if you succeeded; KPIs tell you if you are on track

Scenario Tips

If the question asks about:

When the question presents an IT department that built its own IT strategic plan without business input and asks what the auditor should recommend...

Answer:

Recommend that the IT strategic plan be redeveloped with involvement from business stakeholders and aligned to the enterprise business strategy. Simply approving or getting board sign-off on an already-misaligned plan does not fix the root problem

Distractor to avoid:

Recommending the board approve the existing plan — approval alone does not create alignment. The plan itself must reflect business objectives to be valid

If the question asks about:

When a question asks which COBIT process belongs to governance vs. management...

Answer:

Governance = EDM processes (Evaluate, Direct, Monitor). If the activity is 'evaluate whether IT aligns with business goals' or 'monitor IT performance and report to the board' — that is governance. If it involves planning, building, running, or supporting IT services — that is management (APO/BAI/DSS/MEA)

Distractor to avoid:

Thinking that monitoring and reporting automatically means management — monitoring at the board level to assess whether governance objectives are met is a governance (EDM) activity

Last-Minute Facts

1COBIT governance = EDM (Evaluate, Direct, Monitor)
2COBIT management = APO (Align, Plan, Organize) + BAI (Build, Acquire, Implement) + DSS (Deliver, Service, Support) + MEA (Monitor, Evaluate, Assess)
3ISO/IEC 38500 = corporate governance of IT (board-level standard)
4COSO = internal control framework for financial reporting (5 components: control environment, risk assessment, control activities, information/communication, monitoring)
5CMMI Level 3 = Defined processes (most common exam baseline for 'mature' organizations)
6IT BSC = 4 perspectives: Financial, Customer, Internal Process, Learning and Growth
Domain 312% of exam

Information Systems Acquisition, Development and Implementation

Must-Know Facts

  • IS auditors should be involved from the FEASIBILITY stage of SDLC — not just at testing or implementation. Early involvement prevents costly rework of control gaps
  • SDLC phases in order: feasibility study, requirements definition, design, development, testing (unit, integration, system, UAT), implementation, post-implementation review
  • User Acceptance Testing (UAT) must be performed by BUSINESS USERS, not IT staff, developers, or QA teams — it validates that the system meets business requirements
  • Change management process: request → impact assessment → approval by change advisory board → testing in non-production environment → scheduled implementation → post-implementation review
  • Emergency changes: bypass normal approval but MUST have after-the-fact documentation and approval. 'Emergency' does not mean 'undocumented'
  • Segregation of duties: developers must NOT have access to production environments. Testing must be done with test data in isolated test environments, not production data
  • Implementation strategies from lowest to highest risk: parallel running, phased, pilot, direct cutover
  • Post-implementation review: verifies the system meets original requirements, delivers expected benefits, and that controls operate as designed
  • Application controls: input controls (validation, sequence, limit/range, completeness), processing controls (run-to-run totals, hash totals, control totals), output controls (reconciliation, distribution, retention)
  • Feasibility study evaluates: technical feasibility (can we build it?), economic feasibility (is it cost-effective?), operational feasibility (will users adopt it?), legal/regulatory feasibility

Common Traps

TrapThe auditor should wait until the system testing phase to begin reviewing the new system implementation
RealityAuditor involvement must begin at the FEASIBILITY stage. Discovering control gaps during requirements or design costs far less to fix than discovering them after development or go-live. Waiting until testing is explicitly wrong in ISACA's view
TrapEmergency changes do not require the same documentation as normal changes since speed is the priority
RealityEmergency changes bypass the pre-approval process but require documented after-the-fact approval and review. Missing after-the-fact documentation for emergency changes is an audit finding. The exception is process, not permanence
TrapParallel running is too expensive; a pilot rollout in one location provides adequate validation with less cost
RealityParallel running is the SAFEST implementation approach because both old and new systems run simultaneously, allowing direct comparison. Pilot reduces risk compared to direct cutover but is not as safe as parallel running. For critical financial or mission-critical systems, the question will expect parallel running to be identified as lowest risk
TrapIT staff can perform UAT because they understand the system requirements better than end users
RealityUAT must be performed by the BUSINESS USERS who will actually use the system. IT staff cannot validate business requirements — they know how the system was built, but business users know how it needs to work in practice. IT staff performing UAT is an audit finding

Confusing Pairs

Application ControlsGeneral IT Controls (GITCs)

Application controls are embedded within SPECIFIC applications — they validate input, ensure processing accuracy, and reconcile output for that one application. GITCs are environment-wide controls (access management, change management, operations) that support ALL applications. Critical audit logic: if GITCs are weak, you CANNOT rely on application controls regardless of how well-designed they are, because the infrastructure they run on is not trustworthy

Parallel RunningPilot Implementation

Parallel running: OLD and NEW systems run simultaneously across the full scope — outputs compared for accuracy. Highest cost, lowest risk. Pilot: NEW system deployed in ONE location while old system continues elsewhere — tests real conditions but limited scope. If pilot fails, only one site is affected. Parallel running is safer; pilot is cheaper

Configuration ManagementChange Management

Change management controls the PROCESS of approving and implementing changes (request, assess, approve, implement, review). Configuration management tracks and controls the STATE of IT assets — what version of software is on which server, what configuration settings are applied. Change management without configuration management means you cannot verify what was actually changed

Scenario Tips

If the question asks about:

When a question asks about 15 emergency changes in a quarter where only 3 have after-the-fact approvals...

Answer:

The PRIMARY concern is that 12 emergency changes lack after-the-fact documentation, meaning potentially unauthorized or improperly reviewed changes exist in production. This is an uncontrolled change management failure, not merely a documentation oversight

Distractor to avoid:

Focusing on the high volume of emergency changes as the primary concern — while worth investigating, the root concern is the missing documentation for the changes that were made, creating accountability and integrity risk

If the question asks about:

When asked which implementation strategy a hospital should use when replacing its patient records system...

Answer:

Parallel running — for a critical system where data integrity is essential and failures have serious consequences, parallel running allows the old and new systems to be compared and any discrepancies corrected before fully cutting over

Distractor to avoid:

Direct cutover because it is faster — speed is never the right answer for high-criticality system replacements in ISACA's framework

Last-Minute Facts

1SDLC auditor entry point = feasibility stage (NOT testing stage)
2UAT = business users only, not IT staff
3Implementation risk order (safest to riskiest): parallel > phased > pilot > direct cutover
4Emergency changes: bypass pre-approval, but STILL need after-the-fact documentation
5Developers in production = critical segregation of duties violation
6Weak GITCs = cannot rely on application controls (fundamental audit logic)
7Post-implementation review confirms benefits realization and control effectiveness
Domain 426% of exam

Information Systems Operations and Business Resilience

Must-Know Facts

  • BIA (Business Impact Analysis) must be completed FIRST before developing BCP or DRP — BIA identifies critical processes, quantifies disruption impact, and sets recovery priorities
  • Recovery metrics: RTO = maximum acceptable time to restore a system after disruption. RPO = maximum acceptable data loss measured in time. MTD = maximum tolerable downtime before the business fails. Relationship: MTD must be greater than or equal to RTO
  • Recovery sites by cost and recovery time: mirror site (real-time replication, immediate), hot site (fully equipped, hours), warm site (partially equipped, days), cold site (empty facility, weeks/months)
  • Backup strategies: full backup (complete, slow to create, fast to restore), incremental backup (changes since LAST BACKUP, fast to create, SLOW to restore — needs full + all incrementals), differential backup (changes since LAST FULL BACKUP, moderate to create, faster to restore — needs full + last differential only)
  • BCP/DRP testing types from least to most rigorous: tabletop/walkthrough (discuss the plan), simulation (practice response without affecting production), parallel test (test recovery while production continues), full interruption test (switch to backup systems, highest assurance but highest risk)
  • Incident management sequence: detect, contain (FIRST PRIORITY after detection — before reporting up the chain), eradicate, recover, post-incident review (lessons learned)
  • Problem management vs incident management: incident management restores service QUICKLY. Problem management identifies and eliminates ROOT CAUSES to prevent recurrence
  • IT service management (ITIL): service levels defined in SLAs; capacity management ensures resources meet demand; availability management ensures systems meet uptime targets
  • Segregation of duties in operations: operators should not have programming access; programmers should not have operator access to production systems
  • Data center controls: gas-based fire suppression (FM-200, Inergen, CO2) for IT equipment — never water-based sprinklers. UPS for short-term power, generator for sustained power loss

Common Traps

TrapThe BCP and DRP can be developed simultaneously without a completed BIA since the BIA is just documentation
RealityBIA MUST come first. Without it, BCP/DRP recovery priorities are arbitrary guesses. BIA tells you WHICH processes are critical, WHAT the financial and operational impact of disruption is, and HOW QUICKLY each process must be recovered. No BIA = no defensible BCP/DRP priorities
TrapA tabletop exercise provides adequate assurance that the DRP will work in a real disaster
RealityA tabletop exercise only tests plan AWARENESS and team communication — it does not validate that systems can actually be recovered. The BEST assurance comes from a full interruption test where recovery is actually executed. Tabletop is the starting point, not the end goal
TrapIncremental backups are better than differential backups because they take less time to create each night
RealityIncremental backups are faster to create but significantly SLOWER to restore (you need the last full backup + every individual incremental since then). Differential backups take longer to create but require only the last full + the last differential for restoration. The tradeoff is creation speed vs restoration speed — the RPO and recovery urgency determine which is appropriate
TrapThe hot site is always the best recovery option because it provides the fastest recovery time
RealityThe BEST recovery option depends on the organization's RTO. Hot sites are most appropriate for systems with very short RTOs (hours). For systems that can tolerate days of recovery time, a warm site is more cost-effective. There is no universally 'best' option — the correct answer always ties back to the specific RTO requirement from the BIA
TrapWhen a server crashes, the IS auditor should recommend the operations team reboot it immediately to restore service
RealityThe IS auditor is NOT an operations role. The auditor's recommendation should be to follow the documented incident response plan, including assessing the nature of the failure, determining if it was an attack, and following containment procedures before restoration. Immediate reboot without investigation may destroy forensic evidence
TrapProblem management and incident management both aim to restore service as quickly as possible
RealityIncident management aims to restore service as fast as possible (workarounds are acceptable). Problem management finds the ROOT CAUSE to prevent recurrence — speed is not the priority, thoroughness is. A question about 'recurring incidents' always points to a problem management answer, not an incident management answer

Confusing Pairs

RTO (Recovery Time Objective)RPO (Recovery Point Objective)MTD (Maximum Tolerable Downtime)

RTO = how long you have to restore the system (drives site type selection: hot/warm/cold). RPO = how much data you can afford to lose (drives backup frequency: real-time replication vs hourly vs daily). MTD = the absolute maximum before the business itself fails (MTD >= RTO; if recovery takes longer than MTD, the business collapses). Short RPO = need real-time replication. Short RTO = need hot site

BCP (Business Continuity Plan)DRP (Disaster Recovery Plan)

BCP = enterprise-wide plan covering people, processes, facilities, communications, and technology to continue BUSINESS OPERATIONS during and after disruption. DRP = technical plan for restoring IT systems, infrastructure, and data. DRP is a SUBSET of BCP. If a question asks about recovering the entire business — BCP. If it asks about restoring the email server — DRP

Full Interruption TestParallel Test

Parallel test: actual recovery systems are brought up and tested WHILE production continues running — minimal business risk, but cannot fully validate failover. Full interruption test: production is actually switched to recovery systems — highest assurance that failover works, but highest risk of business disruption if recovery fails. The exam often asks which provides 'best assurance' (full interruption) vs which is 'least disruptive to operations' (parallel)

Scenario Tips

If the question asks about:

When an organization with a 2-hour RTO and 15-minute RPO for its trading platform asks which recovery strategy to implement...

Answer:

Hot site with near-real-time data replication (or mirror site). A 2-hour RTO eliminates warm and cold sites. A 15-minute RPO eliminates anything but continuous or near-continuous data replication. Both constraints must be satisfied

Distractor to avoid:

Warm site with hourly differential backups — this satisfies neither the RTO (days, not hours, for warm site activation) nor the RPO (hourly backups create up to 60 minutes of data loss, which exceeds 15 minutes)

If the question asks about:

When the DRP was tested with a tabletop exercise two years ago and the auditor needs to recommend next steps...

Answer:

Recommend testing at least annually using progressively more rigorous methods — moving beyond tabletop to simulation or parallel testing to actually validate recovery capability. Two years without testing is too infrequent, and tabletop alone provides insufficient assurance

Distractor to avoid:

Recommend an immediate full interruption test — this is too aggressive without first validating the plan through less risky test types. Jumping straight to full interruption without prior simulation testing is itself a risk management failure

If the question asks about:

When asked what MOST indicates that an incident management process is working effectively...

Answer:

Mean Time to Repair (MTTR) decreasing over time combined with documented containment and root cause analysis for each incident. Effective incident management reduces time to restore AND produces documentation that feeds into problem management

Distractor to avoid:

The number of incidents detected — high detection rates indicate good monitoring, not effective incident management. The management question is whether detected incidents are being resolved efficiently and recurrence is decreasing

Last-Minute Facts

1BIA FIRST, then BCP, then DRP — in that order
2MTD >= RTO (always; if RTO > MTD, the business has already failed before IT recovers)
3Incremental restore: full backup + all incrementals since. Differential restore: full backup + last differential only
4Recovery site cost order (cheapest to most expensive): cold < warm < hot < mirror
5Full interruption test = best assurance; highest risk. Tabletop = lowest risk; lowest assurance
6Incident management = restore service fast. Problem management = eliminate root cause
7Fire suppression in data centers = gas-based (FM-200, Inergen). Never water sprinklers
8UPS = short-term power continuity. Generator = sustained backup power
9Grandfather-father-son = backup rotation scheme (daily, weekly, monthly tapes)
Domain 526% of exam

Protection of Information Assets

Must-Know Facts

  • Defense in depth: layered security controls so that no single failure exposes assets — perimeter, network, host, application, data layers
  • Least privilege: users receive only the minimum access necessary for their job function — nothing more
  • Separation of duties: no single person can initiate AND approve AND post a transaction. Critical fraud prevention control for financial and privileged operations
  • Access control models: DAC (owner decides who accesses their data — flexible), MAC (classification labels enforced by the system — most restrictive, used in government), RBAC (permissions assigned to roles — most scalable for large organizations, ISACA's preferred model for enterprises)
  • Authentication factors: something you know (password/PIN), something you have (token/smart card), something you are (biometric). Multi-factor requires at least two DIFFERENT factor types
  • Encryption: AES (symmetric, fast, bulk data), RSA (asymmetric, key exchange and digital signatures), SHA-256 (hashing, integrity only — not encryption). PKI components: Certificate Authority (CA), Registration Authority (RA), Certificate Revocation List (CRL)
  • Digital signature process: sender hashes the message, encrypts the hash with their PRIVATE key. Receiver decrypts the hash with the sender's PUBLIC key, then re-hashes the message to verify. Provides authentication, non-repudiation, and integrity
  • Firewall types: packet filtering (IP/port, stateless, fastest, least secure), stateful inspection (tracks connection state, more secure), application-level proxy (inspects payload, most secure, slowest). Next-generation firewalls add application identification and user identity
  • IDS vs IPS: IDS passively detects and ALERTS. IPS actively BLOCKS malicious traffic. IDS does not stop attacks; IPS can cause false-positive blocking of legitimate traffic
  • Vulnerability management cycle: discover, assess/prioritize, remediate, verify, report. Patch management is a key component — must test patches in non-production before deploying to production
  • Incident response phases: prepare, detect and identify, contain, eradicate, recover, post-incident review. Evidence preservation and chain of custody are mandatory if legal action may follow
  • Data classification drives everything: determines access controls, encryption requirements, handling procedures, retention periods, and destruction methods for each data category

Common Traps

TrapUsing a complex password combined with a security question constitutes multi-factor authentication
RealityA password and a security question are BOTH 'something you know' — they are the same factor type. True multi-factor authentication requires two DIFFERENT factor categories. Password (know) + hardware token (have) = MFA. Password + security question = single-factor authentication with an extra step
TrapIDS and IPS are interchangeable because both detect intrusions
RealityIDS DETECTS and ALERTS — it is passive and does not block traffic. IPS DETECTS and BLOCKS — it actively prevents malicious traffic from passing. IDS is appropriate when you need full visibility without blocking risk. IPS is appropriate when you need active prevention but must manage false positive risk (legitimate traffic may be blocked)
TrapSymmetric encryption (AES) is inferior to asymmetric encryption (RSA) and should be replaced with RSA for all data encryption
RealitySymmetric encryption is FASTER and appropriate for bulk data encryption. Asymmetric encryption is SLOWER and appropriate for key exchange and digital signatures. Hybrid systems (like TLS/HTTPS) use asymmetric encryption to securely exchange a symmetric session key, then use symmetric encryption for the actual data — getting the best of both
TrapBiometric authentication is always more secure than passwords because biometrics cannot be shared or guessed
RealityBiometric systems have False Acceptance Rate (FAR) and False Rejection Rate (FRR) — these are inversely related. Lowering FAR (fewer impostors accepted) increases FRR (more legitimate users rejected). The Crossover Error Rate (CER) where FAR=FRR is the biometric accuracy benchmark. Biometrics also cannot be changed if compromised — if a fingerprint is stolen, you cannot issue a new fingerprint
TrapWater-based sprinklers are acceptable for data center fire suppression because they are reliable and widely tested
RealityWater-based sprinklers DAMAGE IT EQUIPMENT — water may cause as much or more harm than the fire. Data centers must use gas-based suppression systems (FM-200, Inergen, CO2) that extinguish fires without damaging electronics. This is a classic CISA exam test that catches candidates who apply building safety knowledge instead of data center standards
TrapPenetration testing and vulnerability scanning are equivalent ways to assess security weaknesses
RealityVulnerability scanning is AUTOMATED discovery of known weaknesses — it identifies potential vulnerabilities without exploiting them. Penetration testing ACTIVELY EXPLOITS vulnerabilities to prove exploitability and measure actual risk. Pen testing requires more skill, takes more time, and carries execution risk, but proves what an attacker could actually achieve
TrapTechnical controls alone (firewalls, IDS, encryption) are sufficient to protect against social engineering attacks
RealitySocial engineering attacks target PEOPLE, not technology. Technical controls cannot stop a user who has been manipulated into voluntarily giving out credentials. The correct defense is security awareness training, combined with clear policies and reporting procedures. Technical controls complement but cannot replace the human element

Confusing Pairs

Symmetric Encryption (AES)Asymmetric Encryption (RSA)

Symmetric = one shared secret key, fast, used for bulk data (disk encryption, VPN tunnels, database encryption). Problem: secure key distribution. Asymmetric = public/private key pair, slow, used for key exchange and digital signatures. Solution to key distribution problem. In practice: use asymmetric to securely exchange a symmetric key, then use symmetric for data. AES-256 = gold standard for data. RSA-2048+ = gold standard for key exchange

DAC (Discretionary Access Control)MAC (Mandatory Access Control)RBAC (Role-Based Access Control)

DAC: resource OWNER controls access (like Windows file shares where file owner sets permissions) — flexible but inconsistent. MAC: system enforces access based on LABELS and CLEARANCES (like classified government systems: SECRET/TOP SECRET) — most restrictive, cannot be overridden by users. RBAC: permissions assigned to ROLES, users assigned to roles (like 'Accountant' role gets finance access) — most scalable for enterprises. ISACA prefers RBAC for large organizations

Vulnerability ScanningPenetration Testing

Vulnerability scanning: automated tool identifies POTENTIAL weaknesses, does not exploit them, less disruptive, can run frequently. Penetration testing: human or automated tool actually EXPLOITS vulnerabilities to confirm they are real and measurable, more disruptive, requires controlled scope. Scan first to find vulnerabilities; pen test to confirm exploitability and business impact

False Acceptance Rate (FAR)False Rejection Rate (FRR)

FAR: rate at which an unauthorized person is incorrectly accepted (security failure — wrong people get in). FRR: rate at which an authorized person is incorrectly rejected (usability failure — right people can't get in). FAR and FRR are inversely related — increasing sensitivity reduces FAR but increases FRR. CER (Crossover Error Rate) = the point where FAR equals FRR; lower CER means more accurate biometric system

Scenario Tips

If the question asks about:

When a financial application allows one employee to initiate, approve, and post transactions...

Answer:

This is a separation of duties violation — the PRIMARY concern. No single individual should control an entire transaction cycle because this creates undetected fraud risk. The auditor should recommend segregating these functions across different roles or individuals

Distractor to avoid:

Recommending additional logging or monitoring — while compensating controls like enhanced logging are appropriate where full separation is impractical, the primary finding is the SOD violation itself, not monitoring gaps

If the question asks about:

When an organization asks which VPN authentication method provides true multi-factor authentication...

Answer:

Password (something you know) + hardware OTP token (something you have) = true MFA. Two passwords, a password + security question, or a long passphrase are all single-factor (all 'something you know')

Distractor to avoid:

A password with a complex security question — security questions are knowledge-based, making this one-factor authentication with an extra step, not two-factor

If the question asks about:

When a vulnerability scan finds critical vulnerabilities on production servers and the auditor needs to evaluate the organization's response...

Answer:

Verify that the organization prioritizes vulnerabilities by risk, remediates according to a documented schedule tied to severity, tests patches in non-production first, and verifies remediation after patching. The process matters, not just whether individual vulnerabilities were patched

Distractor to avoid:

Confirming that all vulnerabilities were patched immediately — not all vulnerabilities require immediate remediation; risk-based prioritization is the correct approach

If the question asks about:

When a data center fire suppression system uses standard water sprinklers and the auditor is asked what to recommend...

Answer:

Replace with a gas-based suppression system (FM-200, Inergen, or CO2). Water damages IT equipment — the suppression remedy may be worse than the fire. Gas-based systems extinguish fires without physical damage to electronics

Distractor to avoid:

Adding early-warning smoke detectors to the existing sprinkler system — this improves detection speed but does not resolve the core risk that water will damage IT equipment upon activation

Last-Minute Facts

1MFA requires 2 DIFFERENT factor types: know + have, know + are, have + are
2Two passwords = NOT MFA (same factor type twice)
3DAC = owner controls access. MAC = system enforces labels. RBAC = roles control access (preferred for enterprises)
4AES = symmetric (fast, data). RSA = asymmetric (slow, key exchange). SHA-256 = hashing (integrity, not encryption)
5IDS = detect + alert (passive). IPS = detect + block (active)
6FAR and FRR are inversely related. CER = crossover where they are equal — lower CER = better accuracy
7Gas-based fire suppression in data centers: FM-200, Inergen, CO2 (NOT water sprinklers)
8Vulnerability scan = discovers weaknesses. Penetration test = exploits weaknesses
9Digital signature = hash + encrypt with PRIVATE key. Verify = decrypt with PUBLIC key + re-hash
10PKI components: CA (issues certificates), RA (verifies identity), CRL (revoked certificates list)
11Chain of custody is required when digital evidence may be used in legal proceedings

Feeling confident?

Put your knowledge to the test with a timed CISA mock exam.