ISACA

Free CISA - Certified Information Security Auditor Practice Questions

The Certified Information Systems Auditor (CISA) course prepares professionals to audit, control, monitor, and assess an organisation’s information systems to ensure they are secure, compliant, and effectively governed.

10

Sample questions

240 min

Exam time limit

70%

Passing score

$392

Exam voucher

About the CISA - Certified Information Security Auditor Exam

CompTIA Security+ (SY0-701) is the most widely held entry-level cybersecurity certification in the world, and the baseline standard for IT security roles across both the private sector and US federal government. It is approved under DoD 8570/8140, making it a mandatory requirement for many defence and government contractor positions. Security+ validates that you can assess the security posture of an enterprise environment, recommend and implement appropriate security solutions, monitor and secure hybrid environments, and respond to security incidents. The exam covers six domains: General Security Concepts, Threats, Vulnerabilities and Mitigations, Security Architecture, Security Operations, Security Programme Management and Oversight, and Cryptography and PKI. Security+ is vendor-neutral, meaning the skills it certifies apply across all technology platforms and cloud providers. It is the ideal next step after CompTIA Network+ or for IT professionals moving into a dedicated security role.

Exam Domains Covered

Information Systems Auditing Process · 18%Governance and Management of IT · 18%Information Systems Acquisition, Development, and Implementation · 12%Information Systems Operations and Business Resilience · 26%Protection of Information Assets · 26%

Exam Format & Details

The CompTIA Security+ exam (SY0-701) consists of a maximum of 90 questions, including multiple-choice and performance-based questions (PBQs). The time limit is 90 minutes. The passing score is 750 on a scale of 100–900. The exam is available at Pearson VUE test centres worldwide or via online proctoring. The exam voucher costs $392 USD. CompTIA recommends (but does not require) CompTIA Network+ certification and two years of IT experience with a security focus before sitting Security+. Results are available immediately for computer-based testing.

Why Practice Questions Matter

Security+ uses performance-based questions (PBQs) alongside multiple-choice, which means some questions require you to interact with simulated environments — configuring firewalls, analysing logs, or identifying vulnerabilities in a network diagram. You cannot pass Security+ through memorisation alone. Timed practice builds the fluency you need to move through scenario questions quickly and confidently. CertCrush questions are written to match the SY0-701 domain weighting, so your practice time targets the areas that actually appear on the exam.

Back to home
Free Sample

Try CISA - Certified Information Security Auditor

Get a taste before you commit — no account needed.

Get full access to CISA - Certified Information Security Auditor

All questions, timed exams, flashcards, PDF study guide download & progress tracking.

Create Free AccountSign In

Sample Practice Questions

The following questions are a preview of the type of syllabus-aligned questions you will practise in CertCrush. They reflect the format and reasoning style of the CISA - Certified Information Security Auditor exam — not actual exam content.

Q1.What is the PRIMARY purpose of conducting vendor due diligence BEFORE onboarding a new critical IT supplier at a logistics firm?

  • A.To negotiate the lowest possible price for the services the vendor will provide.
  • B.To assess the vendor's financial stability, security controls, and operational capabilities before the organisation becomes dependent on the vendor's services.
  • C.To verify that the vendor's employees have passed criminal background checks.
  • D.To ensure the vendor's marketing materials accurately represent their service capabilities.

Domain: Governance and Management of IT

Q2.During a vendor risk assessment at a telco, an IS auditor finds that the company's most critical network operations vendor has never been subjected to a formal right-to-audit clause review, and the existing contract does not include such a clause. What is the MOST significant governance concern?

  • A.The absence of a right-to-audit clause means the telco cannot independently verify the vendor's control environment and must rely solely on vendor-provided representations, which may not be objective.
  • B.The telco should immediately terminate the vendor relationship because contracts without right-to-audit clauses are legally invalid.
  • C.The vendor should be required to provide ISO 27001 certification as an alternative to a contractual right-to-audit clause.
  • D.The right-to-audit clause only applies to financial audits and is not relevant to IT security assessments.

Domain: Governance and Management of IT

Q3.An IS auditor at an insurance company reviews the vendor risk management program and finds that vendor risk assessments are performed only at contract signing and never repeated during the vendor relationship, which can span 5-10 years. What is the MOST significant risk of this approach?

  • A.The organisation may pay higher prices because vendor pricing is not regularly benchmarked.
  • B.The organisation may be unaware of material changes in the vendor's risk profile — such as financial instability, security breaches, or control deterioration — that occur during the relationship and could impact service reliability or data security.
  • C.The organisation may not qualify for vendor loyalty discounts that require ongoing relationship assessments.
  • D.The initial due diligence documentation will become outdated and may not satisfy internal audit file retention requirements.

Domain: Governance and Management of IT

Q4.An energy company relies on five different vendors for operational technology (OT) security monitoring services, each providing similar capabilities. An IS auditor flags this as a potential risk. Which type of risk is the auditor MOST likely identifying?

  • A.Fourth-party risk, because each vendor may use subcontractors to deliver their monitoring services.
  • B.Vendor concentration risk — but in reverse: the use of too many vendors for the same capability can create governance complexity, inconsistent controls, and gaps in monitoring coverage.
  • C.Outsourcing risk, because security monitoring should always be performed internally.
  • D.Regulatory risk, because energy sector regulations prohibit the use of multiple OT security vendors simultaneously.

Domain: Governance and Management of IT

Q5.An IS auditor at a university is reviewing the institution's SLA with its cloud email provider. The SLA specifies 99.5% uptime but does not define how uptime is measured, what constitutes a service outage, or what penalties apply for breaches. What is the MOST significant deficiency in this SLA?

  • A.The SLA should specify the vendor's hardware refresh schedule to ensure uptime targets are achievable.
  • B.Without defined measurement methodology, outage definitions, and penalties, the SLA's uptime commitment is unenforceable and provides the university with no practical recourse when service levels are not met.
  • C.The SLA should require the vendor to carry a specific level of cyber liability insurance.
  • D.The uptime target of 99.5% is too low for a university email system and should be at least 99.99%.

Domain: Governance and Management of IT

Frequently Asked Questions

What is included in the free CISA - Certified Information Security Auditor sample?

The free sample includes 10 syllabus-aligned practice questions, sample flashcards, and a preview chapter from the study guide. No account or payment is required to try the sample.

How many questions are in the full CISA - Certified Information Security Auditor course?

The full course includes a comprehensive question bank covering all exam domains. You can see the total question count on the CISA - Certified Information Security Auditor course page.

Are these official ISACA exam questions?

No. CertCrush questions are independently written and syllabus-aligned — they mirror the format, difficulty, and reasoning style of the official exam. We are not affiliated with or endorsed by ISACA.

Which domains does the CISA - Certified Information Security Auditor course cover?

The course covers 5 exam domains: Information Systems Auditing Process, Governance and Management of IT, Information Systems Acquisition, Development, and Implementation, Information Systems Operations and Business Resilience, Protection of Information Assets.

Can I study on mobile?

Yes. CertCrush is fully responsive and works on phones, tablets, and desktops. The timed exam, flashcards, and study guide all work on mobile without installing an app.

What happens when I create an account?

Creating a free account lets you access full courses, track your weak areas by domain, and resume practice sessions across devices. No credit card is required to register.