Instructor-Led Course

Sample Exam

©2022. ISACA. All Rights Reserved 1

1. The MOST important component of a privacy policy is:
A. notifications.
B. warranties.
C. liabilities.
D. standards.

2. Which of the following is MOST likely to remain constant over time? An information security:
A. policy.
B. standard.
C. strategy.
D. procedure.

3. What is the PRIMARY factor to be taken into account when designing a backup strategy that
will be consistent with a disaster recovery strategy?
A. Volume of sensitive data
B. Recovery point objective
C. Recovery time objective
D. Interruption window

4. When performing a business impact analysis, which of the following should calculate the
recovery time and cost estimates?
A. Business continuity coordinator
B. Information security manager
C. Business process owners
D. IT management

©2022. ISACA. All Rights Reserved 2

5. What is the MOST important reason for formally documenting security procedures?
A. Ensure processes are repeatable and sustainable.
B. Ensure alignment with business objectives.
C. Ensure auditability by regulatory agencies.
D. Ensure objective criteria for the application of metrics.

6. Which of the following choices should be assessed after the likelihood of a loss event has
been determined?
A. The magnitude of impact
B. Risk tolerance
C. The replacement cost of assets
D. The book value of assets

7. What is the BEST method to confirm that all firewall rules and router configuration settings
are adequate?
A. Periodic review of network configuration
B. Review of intrusion detection system logs for evidence of attacks
C. Periodically perform penetration tests
D. Daily review of server logs for evidence of hacker activity

8. Which of the following is the BEST method for ensuring that temporary employees do not
receive excessive access rights?
A. Mandatory access controls
B. Discretionary access controls
C. Lattice-based access controls
D. Role-based access controls

©2022. ISACA. All Rights Reserved 3

9. When designing an intrusion detection system, the information security manager should
recommend that it be placed:
A. outside the firewall.
B. on the firewall server.
C. on a screened subnet.
D. on the external router.

10. To BEST improve the alignment of the information security objectives in an enterprise, the
chief information security officer should:
A. revise the information security program.
B. evaluate a business balanced scorecard.
C. conduct regular user awareness sessions.
D. perform penetration tests.

11. Which of the following factors is MOST important for the successful implementation of an
enterprise’s information security program?
A. Senior management support
B. Budget for security activities
C. Regular vulnerability assessments
D. Knowledgeable security administrators

12. Management decided that the enterprise will not achieve compliance with a recently issued
set of regulations. Which of the following is the MOST likely reason for the decision?
A. The regulations are ambiguous and difficult to interpret.
B. Management has a low level of risk tolerance.
C. The cost of compliance exceeds the cost of possible sanctions.
D. The regulations are inconsistent with the organizational strategy.

©2022. ISACA. All Rights Reserved 4

13. Enterprises implement ethics training PRIMARILY to provide guidance to individuals
engaged in:
A. monitoring user activities.
B. implementing security controls.
C. managing risk tolerance.
D. assigning access.

14. To implement information security governance, an enterprise should FIRST:

A. adopt security standards.
B. determine security baselines.
C. define the security strategy.
D. establish security policies.

15. What is the BEST method to verify that all security patches applied to servers were properly
documented?
A. Trace change control requests to operating system (OS) patch logs.
B. Trace OS patch logs to OS vendor’s update documentation.
C. Trace OS patch logs to change control requests.
D. Review change control documentation for key servers.

16. Which of the following should be determined FIRST when establishing a business continuity
program?
A. Cost to rebuild information processing facilities
B. Incremental daily cost of the unavailability of systems
C. Location and cost of offsite recovery facilities
D. Composition and mission of individual recovery teams

©2022. ISACA. All Rights Reserved 5

17. Which of the following is the MAIN reason for performing risk assessment on a continuous
basis?
A. The security budget must be continually justified.
B. New vulnerabilities are discovered every day.
C. The risk environment is constantly changing.
D. Management needs to be continually informed about emerging risk.

18. What is the BEST way to ensure that security settings on each platform are in compliance
with information security policies and procedures?
A. Perform penetration testing.
B. Establish security baselines.
C. Implement vendor default settings.
D. Link policies to an independent standard.

19. New regulatory and legal compliance requirements that will have an effect on information
security will MOST likely come from the:
A. corporate legal officer.
B. internal audit department.
C. affected departments.
D. compliance officer.

20. Addressing the root cause of an incident is one aspect of which of the following incident
management processes?
A. Eradication
B. Recovery
C. Lessons learned
D. Containment

©2022. ISACA. All Rights Reserved 6

21. What is the PRIMARY objective of security awareness?
A. Ensure that security policies are understood.
B. Influence employee behavior.
C. Ensure legal and regulatory compliance.
D. Notify of actions for noncompliance.

22. Which of the following is MOST important when collecting evidence for forensic analysis?
A. Ensure the assignment of qualified personnel.
B. Request the IT department do an image copy.
C. Disconnect from the network and isolate the affected devices.
D. Ensure law enforcement personnel are present before the forensic analysis commences.

23. An enterprise is transferring its IT operations to an offshore location. An information security

manager should PRIMARILY focus on:
A. reviewing new laws and regulations.
B. updating operational procedures.
C. validating staff qualifications.
D. conducting a risk assessment.

24. Which of the following has the highest priority when defining an emergency response plan?
A. Critical data
B. Critical infrastructure
C. Safety of personnel
D. Vital records

©2022. ISACA. All Rights Reserved 7

25. Who should be assigned as data owner for sensitive customer data that are used only by
the sales department and stored in a central database?
A. The sales department
B. The database administrator
C. The chief information officer
D. The head of the sales department

26. Which of the following do security policies need to be MOST closely aligned with?
A. Industry good practices
B. Organizational needs
C. Generally accepted standards
D. Local laws and regulations

27. When creating an effective data-protection strategy, the information security manager must
understand the flow of data and its protection at various stages. This is BEST achieved with:
A. a third-party vulnerability assessment.
B. a tailored methodology based on exposure.
C. an insurance policy for accidental data losses.
D. a tokenization system set up in a secure network environment.

28. Which of the following is MOST essential when assessing risk?

A. Providing equal coverage for all asset types
B. Benchmarking data from similar enterprises
C. Considering both monetary value and likelihood of loss
D. Focusing on valid past threats and business losses

©2022. ISACA. All Rights Reserved 8

29. Which of the following is a key component of an incident response policy?
A. Updated call trees
B. Escalation criteria
C. Press release templates
D. Critical backup files inventory

30. An enterprise has verified that its customer information was recently exposed. Which of the
following is the FIRST step a security manager should take in this situation?
A. Inform senior management.
B. Determine the extent of the compromise.
C. Report the incident to the authorities.
D. Communicate with the affected customers.

31. Which of the following is the BEST approach for an enterprise desiring to protect its
intellectual property?
A. Conduct awareness sessions on intellectual property policy.
B. Require all employees to sign a nondisclosure agreement.
C. Promptly remove all access when an employee leaves the enterprise.
D. Restrict access to a need-to-know basis.

32. Which of the following steps should be FIRST in developing an information security plan?
A. Perform a technical vulnerabilities assessment.
B. Analyze the current business strategy.
C. Perform a business impact analysis.
D. Assess the current levels of security awareness.

©2022. ISACA. All Rights Reserved 9

33. Which of the following individuals would be in the BEST position to sponsor the creation of
an information security steering group?
A. Information security manager
B. Chief operating officer
C. Internal auditor
D. Legal counsel

34. What mechanism should be used to identify deficiencies that would provide attackers with
an opportunity to compromise a computer system?
A. Business impact analysis
B. Security gap analysis
C. System performance metrics
D. Incident response processes

35. The MOST direct way to accurately determine the control baseline in an IT system is to do
which of the following activities?
A. Review standards and system compliance.
B. Sample hardware and software configurations.
C. Review system and server logs for anomalies.
D. Perform internal and external penetration tests.

36. Which of the following provides the BEST confirmation that the business continuity
plan/disaster recovery plan (BCP/DRP) objectives have been achieved?
A. The recovery time objective was not exceeded during testing.
B. Objective testing of the BCP/DRP has been carried out consistently.
C. The recovery point objective was proved inadequate by DRP testing.
D. Information assets have been valued and assigned to owners according to the BCP/DRP.

©2022. ISACA. All Rights Reserved 10

37. Which of the following situations would be of the MOST concern to a security manager?
A. Audit logs are not enabled on a production server.
B. The logon ID for a terminated systems analyst still exists on the system.
C. The help desk has received numerous reports of users receiving phishing emails.
D. A Trojan was found installed on a systems administrator’s laptop.

38. Which of the following would BEST prepare an information security manager for regulatory
reviews?
A. Assign an information security administrator as regulatory liaison.
B. Perform self-assessments using regulatory guidelines and reports.
C. Assess previous regulatory reports with process owner’s input.
D. Ensure all regulatory inquiries are sanctioned by the legal department.

39. Which of the following BEST protects confidentiality of information?

A. Information classification
B. Segregation of duties
C. Least privilege
D. Systems monitoring

40. Which of the following techniques MOST clearly indicates whether specific risk-reduction
controls should be implemented?
A. Cost-benefit analysis
B. Penetration testing
C. Frequent risk assessment programs
D. Annual loss expectancy calculation

©2022. ISACA. All Rights Reserved 11

41. An information security manager is in the process of investigating a network intrusion. One
of the enterprise’s employees is a suspect. The manager has just obtained the suspect’s
computer and hard drive. Which of the following is the BEST next step?
A. Create an image of the hard drive.
B. Encrypt the data on the hard drive.
C. Examine the original hard drive.
D. Create a logical copy of the hard drive.

42. Which of the following choices is the BEST indicator of the state of information security
governance?
A. A defined maturity level
B. A developed security strategy
C. Complete policies and standards
D. Low numbers of incidents

43. What is a desirable sensitivity setting for a biometric access control system that protects a
high-security data center?
A. A high false reject rate
B. A high false acceptance rate
C. Lower than the crossover error rate
D. The exact crossover error rate

44. The MOST useful way to describe the objectives in the information security strategy is
through:
A. attributes and characteristics of the desired state.
B. overall control objectives of the security program.
C. mapping the IT systems to key business processes.
D. calculation of annual loss expectations.

©2022. ISACA. All Rights Reserved 12

45. Quantifying the level of acceptable risk can BEST be indicated by which of the following
choices?
A. Surveying business process owners and senior managers
B. Determining the percentage of the IT budget allocated to security
C. Determining the ratio of business interruption insurance to its cost
D. Determining the number and severity of incidents impacting the enterprise

46. Which of the following control measures BEST addresses integrity?

A. Nonrepudiation
B. Time stamps
C. Biometric scanning
D. Encryption

47. Which of the following measures would be MOST effective against insider threats to
confidential information?
A. Role-based access control
B. Audit trail monitoring
C. Privacy policy
D. Defense in depth

48. With regard to the implementation of security awareness programs in an enterprise, it is

MOST relevant to understand that which one of the following aspects can change?
A. The security culture
B. The information technology
C. The compliance requirements
D. The threats and vulnerabilities

©2022. ISACA. All Rights Reserved 13

49. There is a delay between the time when a security vulnerability is first published, and the
time when a patch is delivered. Which of the following should be carried out FIRST to mitigate
the risk during this time period?
A. Identify the vulnerable systems and apply compensating controls.
B. Minimize the use of vulnerable systems.
C. Communicate the vulnerability to system users.
D. Update the signatures database of the intrusion detection system

50. Which of the following will MOST likely reduce the chances of an unauthorized individual
gaining access to computing resources by pretending to be an authorized individual needing to
have their password reset?
A. Performing reviews of password resets
B. Conducting security awareness programs
C. Increasing the frequency of password changes
D. Implementing automatic password syntax checking

51. An information security strategy presented to senior management for approval MUST
incorporate:
A. specific technologies.
B. compliance mechanisms.
C. business priorities.
D. detailed procedures.

52. When outsourcing, to ensure that third-party service providers comply with an enterprise
security policy, which of the following should occur?
A. A predefined meeting schedule
B. A periodic security audit
C. Inclusion in the contract of a list of individuals to be called in the event of an incident (call
tree)
D. Inclusion in the contract of a confidentiality clause

©2022. ISACA. All Rights Reserved 14

53. Which one of the following measures will BEST indicate the effectiveness of an incident
response process?
A. Number of open incidents
B. Reduction of the number of security incidents
C. Reduction of the average response time to an incident
D. Number of incidents handled per month

54. The BEST process for assessing an existing risk level is:
A. an impact analysis.
B. a security review.
C. a vulnerability assessment.
D. a threat analysis.

55. The triage phase of the incident response plan provides:

A. a snapshot of the current status of all incident activity reported.
B. a global, high-level view of the open incidents.
C. a tactical review of an incident’s progression and resolution.
D. a comprehensive basis for changes to the enterprise architecture.

56. Which of the following poses the GREATEST challenge to an enterprise seeking to prioritize
risk management activities?
A. An incomplete catalog of information assets
B. A threat assessment that is not comprehensive
C. A vulnerability assessment that is outdated
D. An inaccurate valuation of information assets

©2022. ISACA. All Rights Reserved 15

57. Which of the following is the MOST serious exposure of automatically updating virus
signature files on every desktop each Friday at 11:00 p.m. (2300 hours)?
A. Most new viruses’ signatures are identified over weekends.
B. Technical personnel are not available to support the operation.
C. Systems are vulnerable to new viruses during the intervening week.
D. The update’s success or failure is not known until Monday.

58. The factor that is MOST likely to result in identification of security incidents is:
A. effective communication and reporting processes.
B. clear policies detailing incident severity levels.
C. intrusion detection system capabilities.
D. security awareness training.

59. The MOST basic requirement for an information security governance program is to:
A. be aligned with the corporate business strategy.
B. be based on a sound risk management approach.
C. provide adequate regulatory compliance.
D. provide good practices for security initiatives.

60. What is the BEST way to determine if an anomaly-based intrusion detection system (IDS) is
properly installed?
A. Simulate an attack and review IDS performance.
B. Use a honeypot to check for unusual activity.
C. Audit the configuration of the IDS.
D. Benchmark the IDS against a peer site.

©2022. ISACA. All Rights Reserved 16

61. Which of the following should be performed FIRST in the aftermath of a denial-of-service
(DoS) attack?
A. Restore servers from backup media stored offsite.
B. Conduct an assessment to determine system status.
C. Perform an impact analysis of the outage.
D. Isolate the screened subnet.

62. When should a request for proposal be issued?

A. At the project feasibility stage
B. Upon management project approval
C. Prior to developing a project budget
D. When developing the business case

63. Which of the following factors is the MOST significant in determining an enterprise’s risk
appetite?
A. The nature and extent of threats
B. Organizational policies
C. The overall security strategy
D. The organizational culture

64. From an information security perspective, which of the following will have the GREATEST
impact on a financial enterprise with offices in various countries and involved in transborder
transactions?
A. Current and future technologies
B. Evolving data protection regulations
C. Economizing the costs of network bandwidth
D. Centralization of information security

©2022. ISACA. All Rights Reserved 17

65. With which of the following business functions is integration of information security MOST
likely to result in risk being addressed as a standard part of production processing?
A. Quality assurance
B. Procurement
C. Compliance
D. Project management

66. The MOST effective way to limit actual and potential impacts of e-discovery in the event of
litigation is to:
A. implement strong encryption of all sensitive documentation.
B. ensure segregation of duties and limited access to sensitive data.
C. enforce a policy of not writing or storing potentially sensitive information.
D. develop and enforce comprehensive retention policies.

67. Which of the following choices is the MOST significant single point of failure in a public key
infrastructure?
A. A certificate authority’s (CA) public key
B. A relying party’s private key
C. A CA’s private key
D. A relying party’s public key

68. Which of the following choices is the BEST input for the definition of escalation guidelines?
A. Risk management issues
B. A risk and impact analysis
C. Assurance review reports
D. The effectiveness of resources

©2022. ISACA. All Rights Reserved 18

69. What is the BEST way to ensure users comply with organizational security requirements for
password complexity?
A. Include password construction requirements in the security standards.
B. Require each user to acknowledge the password requirements.
C. Implement strict penalties for user noncompliance.
D. Enable system-enforced password configuration.

70. Information security managers should use risk assessment techniques to:
A. justify selection of risk mitigation strategies.
B. maximize the return on investment.
C. provide documentation for auditors and regulators.
D. quantify risk that would otherwise be subjective.

71. Which of the following functions is responsible for determining the members of the
enterprise’s response teams?
A. Governance
B. Risk management
C. Compliance
D. Information security

72. When a large enterprise discovers that it is the subject of a network probe, which of the
following actions should be taken?
A. Reboot the router connecting the demilitarized zone (DMZ) to the firewall.
B. Power down all servers located on the DMZ segment.
C. Monitor the probe and isolate the affected segment.
D. Enable server trace logging on the affected segment.

©2022. ISACA. All Rights Reserved 19

73. The concept of governance, risk and compliance serves PRIMARILY to:
A. align enterprise assurance functions.
B. ensure that all three activities are addressed by policy.
C. present the correct sequence of security activities.
D. define the responsibilities of information security.

74. An enterprise’s board of directors is concerned about recent fraud attempts that originated
over the Internet. What action should the board take to address this concern?
A. Direct information security operations regarding specific solutions that are needed to address
the risk.
B. Research solutions to determine appropriate actions for the enterprise.
C. Take no action; information security does not report to the board.
D. Direct executive management to assess the risk and to report the results to the board.

75. Under what circumstances do good information security practices dictate a full
reassessment of risk?
A. After a material control failure
B. When regular assessments show unremediated risk
C. Subsequent to installing an updated operating system
D. After emergency changes have been initiated

©2022. ISACA. All Rights Reserved 20