2025年國(guó)際注冊(cè)信息系統(tǒng)審計(jì)師（CISA）資格考試（英文版）經(jīng)典試題及答案一Part1–Multiple-ChoiceQuestions(singleresponse)1.Duringapost-implementationreviewofanenterpriseresourceplanning(ERP)system,anISauditornotesthatthreecriticalsegregation-of-dutiesconflictsidentifiedinthedesignphaseremainunresolved.Theprojectsteeringcommitteearguesthatcompensatingdetectivecontrolsarenowinplaceandthatthecostofre-codingwouldexceedtherisk.WhichofthefollowingfindingsshouldberatedastheMOSTsignificant?A.Thedetectivecontrolsarenotautomated.B.Thebusinessownerhasnotsignedtheresidualriskacceptance.C.Theconflictsexistinthepaymentandprocurementmodules.D.Theaudittrailretentionperiodisonlyninetydays.Answer:BExplanation:Riskacceptancewithoutdocumentedsign-offviolatesgovernancepolicyandinvalidatesthecontrolenvironmentregardlessofthetechnicalcompensatingmeasure.2.Anorganizationhasmigrateditscustomer-facingwebclustertoacontainerizedmicro-servicearchitectureorchestratedbyKubernetes.ManagementhasaskedtheISauditortoevaluatewhetherthenewenvironmentachievesthesameassurancelevelastheformerVM-basedbaseline.WhichtestprovidestheSTRONGESTevidencethatcontainerescapeprotectioniseffective?A.ReviewtheCISKubernetesBenchmarkhardeningscore.B.InspecttheAppArmororSELinuxprofilesappliedtoeachcontainer.C.AttempttoaccessthehostOSfromanunprivilegedcontainerusingakernelexploitpayload.D.Verifythatthecontainerruntimeispatchedwithinthelastthirtydays.Answer:CExplanation:Actualexploitationtesting(withpropersafeguards)producesdirectevidencethatcontainmentmechanismspreventprivilegeescalation.3.AglobalbankusesanAImodeltopre-screenmortgageapplications.Regulatoryguidancerequiresthatthemodel’svariablesbeexplainabletorejectedapplicants.WhichcontrolBESTensuresongoingcompliance?A.Maintainadatalineagediagramfromsourcetomodelscore.B.LogeveryparameterupdateinthemodelregistrywithapproverID.C.ImplementSHAPvaluereportingforeachdecision.D.Archivetrainingdatasnapshotsforsevenyears.Answer:CExplanation:SHAP(SHapleyAdditiveexPlanations)produceshuman-readablereasoncodesthatsatisfyexplainabilitymandates.4.AnISauditorisreviewingthecryptographicarchitectureofablockchain-basedsupply-chainledger.Thesolutionuses256-bitECCfortransactionsigningandAES-256-GCMforoff-chainstorageencryption.Whichobservationrepresentsamaterialweakness?A.ThesameECCkeypairisusedforbothauthenticationandencryption.B.TheAES-GCMinitializationvectorisastaticzerovector.C.Theledger’sconsensusalgorithmisProof-of-StakeinsteadofProof-of-Work.D.Therootcertificateisself-signed.Answer:BExplanation:ReusinganIVwithGCMmodebreaksconfidentialityandauthenticity;theotherchoicesaredesigndecisions,notinherentweaknesses.5.ASaaSprovideroffersamulti-tenantplatformthatstoresEUandUScustomerdatainthesamedatabaseschemabutusesa“tenant_id”columnforisolation.TheproviderhasobtainedISO27001certification.WhichauditfindingpresentstheGREATESTregulatoryriskunderGDPR?A.DatabasebackupsareencryptedbutstoredinaUSregion.B.Thedataretentionschedulediffersbytenantbutisnotenforcedatthedatabaselayer.C.Cross-borderdatatransferagreementsrelyonStandardContractualClausessignedin2016.D.Theright-to-be-forgottenrequestisfulfilledbyasoftdeleteflag.Answer:DExplanation:SoftdeletedoesnotsatisfytheGDPRrequirementforerasure;dataremainphysicallypresentandrecoverable.6.Anorganizationhasimplementedazero-trustnetworkarchitecture.WhichmetricBESTdemonstratesthatthecontrolobjective“preventlateralmovement”ismet?A.PercentageofendpointswithEDRinstalled.B.Averagetimetoquarantineacompromiseddevice.C.Numberofeast-westconnectionsblockedbymicro-segmentationpolicies.D.Ratioofencryptedvs.plaintexttraffic.Answer:CExplanation:Blockinglateralconnectionsdirectlyevidencescontainmentcapability.7.DuringacloudIaaSaudit,theISauditorfindsthattheDevOpsteamcanspinupinstancesusingapre-hardenedgoldenimage,buttheimagewaslastupdatedninemonthsago.WhichriskisMOSTcritical?A.TheimagelacksthelatestOSsecuritypatches.B.TheimageisstoredinapublicS3bucket.C.TheimageissharedacrossmultipleAWSaccounts.D.Theimageisnottaggedaccordingtothecost-centerpolicy.Answer:AExplanation:Staleimagesintroduceknownvulnerabilitiesintonewinstances,underminingthesecuritybaseline.8.Aretailcompanyusesanopen-sourcee-commerceframework.Thesecurityteamruns“npmaudit”intheCIpipelineandbreaksthebuildonanyhigh-severityfinding.WhichadditionalcontrolprovidestheBESTassuranceagainstsupply-chainattacks?A.PindependenciestoexactSHA-256hashesinpackage-lock.json.B.Requiretwo-personcodereviewforeverypullrequest.C.Runstaticanalysistools(SAST)oncustomcode.D.EnableContentSecurityPolicyheadersinproduction.Answer:AExplanation:Hashpinningpreventssubstitutionofmaliciouspackageseveniftherepositoryiscompromised.9.AnISauditorisvalidatingtheintegrityoffirewallrulechanges.WhichsourceofevidenceistheMOSTreliable?A.ChangeticketsapprovedintheITSMsystem.B.Configurationbackupsstoredonthefirewallflash.C.SyslogmessagesexportedtoanimmutableSIEM.D.Screenshotsoftherulebasetakenbythefirewalladmin.Answer:CExplanation:Tamper-evidentcentralizedlogsprovideindependent,time-synchronizedevidence.10.Ahospital’smedicaldevicenetworkusesIEEE802.1Xcertificate-basedauthentication.TheISauditordiscoversthattheRADIUSserveracceptscertificatessignedbyaninternalCAwhoseprivatekeyisstoredinasoftwarefile.Whichrecommendationshouldbeprioritized?A.MigratetheCAkeytoaFIPS140-3Level3HSM.B.Shortenthecertificatevalidityperiodto90days.C.EnableOCSPstaplingontheRADIUSserver.D.ImplementMACsecforlink-layerencryption.Answer:AExplanation:HardwareprotectionoftheCAprivatekeyisfoundationaltothetrustmodel;othercontrolsaresecondary.11.ApaymentprocessorhasdeployedaDevSecOpspipelinethatdigitallysignseverycontainerimage.Theauditorwantsassurancethatthesigningkeyisnotmisused.WhichtestprovidestheSTRONGESTevidence?A.Verifythatthepublickeyispublishedintheorganization’sDNSTXTrecord.B.Inspectthepipelinelogsforsigningoperationstiedtoaspecificserviceaccount.C.ConfirmthattheprivatekeyisstoredinaKMSwithIAMrestrictions.D.Checkthatimagesarerejectedwhenthesignatureverificationfails.Answer:CExplanation:Properkeycustodypreventsunauthorizedsigning;rejectionofunsignedimagesisadetectivecontrol,notpreventive.12.AnISauditorisreviewingthebackupstrategyforacriticalPostgreSQLcluster.TheDBAteamperformshourlyWALarchivinganddailypg_basebackuptoanS3bucketwithversioningenabled.Whichfindingrequiresimmediateescalation?A.TheS3bucketisinthesameAWSaccountasthedatabase.B.ThelifecyclepolicytransitionsbackupstoGlacierafter30days.C.Therestoredrilllastquarterrecoveredtoapoint12minutesaftertheincident.D.ThebucketpolicyallowsDELETEactionstotheDBArole.Answer:DExplanation:Immutabilityiscompromisedifauthorizeduserscandeletebackupobjects,violatingthe“cannotbeerasedwithinretention”requirement.13.AmultinationalhasadoptedNISTSP800-53asitscontrolframework.TheauditorfindsthattheIR-9“InformationSpillage”controlismarked“notapplicable”becausetheorganizationusesonlyencryptedmedia.Whichstatementisaccurate?A.Encryptioneliminatestheneedforspillageincidentprocedures.B.Thecontrolshouldstilladdressaccidentalexposureofcleartextmetadata.C.Thecontrolisonlyrequiredforclassifiedgovernmentdata.D.Theauditormustacceptmanagement’sscopingdecision.Answer:BExplanation:Encrypteddatacanstillbespilled(e.g.,decryptionkeysormetadata),soincidentresponseproceduresremainnecessary.14.AcitygovernmenthasdeployedIoTparkingsensorsthatcommunicateoverLoRaWAN.Theauditorisconcernedaboutfirmwareintegrity.WhichcontrolprovidestheMOSTassurancethatonlyauthorizedfirmwareisinstalled?A.RequireTLSforfirmwaredownload.B.ImplementsignedfirmwareimagesverifiedbybootloaderECDSAchecks.C.DisabletheUARTdebuginterfaceonproductiondevices.D.UseaVPNtunnelfromthesensorgatewaytotheoperationscenter.Answer:BExplanation:Cryptographicsignatureverificationbythebootloaderistherootoftrustforfirmwareauthenticity.15.Asoftwarecompanyhasadopteda“policy-as-code”approachusingOpenPolicyAgent(OPA)toenforceRBACinitsKubernetesclusters.WhichauditprocedureBESTverifiesthatthepoliciesareeffective?A.ReviewOPARegofilesinGitforsyntaxcorrectness.B.AttempttocreateapodthatviolatespolicyandconfirmtheAPIserverrejectsit.C.CheckthatOPAsidecarcontainersarerunningoneverynode.D.InspecttheKubernetesauditlogsforpolicyevaluationlatency.Answer:BExplanation:Activetestingdemonstratesthattheadmissioncontrollerblocksdisallowedactions.16.AnonlinegamingplatformusesRedisforsessionmanagement.Theauditordiscoversthattheredis.conffilecontains“requirepassfoobar2023”.WhichadditionalfindingwouldMOSTincreasetheriskofcredentialcompromise?A.RedislistensonallinterfacesinsideaDockercontainer.B.ThepasswordishashedwithSHA-1intheconfigfile.C.Thecontainerrunsasroot.D.ThesessiondataincludeJWTtokenssignedwithHS256.Answer:AExplanation:Bindingtoallinterfacesexposestheservicetolateralnetworkattacksevenifpassword-protected.17.Afinancialservicesfirmhasimplementedasecurityorchestration,automationandresponse(SOAR)platform.Playbooksauto-quarantineendpointswhenEDRdetectscredentialdumping.WhichmetricBESTdemonstratesthecontrol’seffectiveness?A.Numberofphishingemailsblockedatthegateway.B.Meantimebetweendetectionandquarantine.C.PercentageofendpointswithEDRagentsonline.D.Numberoffalse-positivequarantinesperweek.Answer:BExplanation:Speedofcontainmentlimitsattackerdwelltime.18.Acloud-nativeworkloadusesAWSKMSforenvelopeencryption.Theauditorwantstoverifythatdatakeysarenotpersistedunencrypted.WhichlogsourceprovidestheMOSTpersuasiveevidence?A.CloudTraillogsshowingDecryptAPIcalls.B.VPCFlowLogsfortheKMSendpoint.C.Applicationlogsthatprintthebase64-encodedciphertext.D.AWSConfigruleevaluations.Answer:AExplanation:CloudTrailrecordsprovethattheapplicationcallsDecryptatruntimeratherthanstoringplaintextkeys.19.AmanufacturingplantusesOPCUAformachine-to-machinecommunication.Theauditorfindsthatsecuritymodeissetto“Sign”butnot“SignAndEncrypt”.WhichriskisMOSTconcerning?A.Messageintegrityisnotguaranteed.B.Messageconfidentialityisnotprotected.C.Replayattacksarepossible.D.Certificaterevocationisnotchecked.Answer:BExplanation:“Sign”providesintegrityandauthenticationbutleavespayloaddataincleartext.20.Agovernmentagencyhasmandatedthatallprivilegedaccessmustberecordedusingasession-broker(PAM)solution.TheauditorfindsthatadministratorscanstillSSHdirectlytoproductionserversusingpersonalSSHkeys.Whichcontrolgapshouldbereportedascritical?A.LackofgeographicIPrestrictions.B.Absenceofcommandwhitelisting.C.Bypassofthesessionrecordingcontrol.D.Useofpersonalinsteadofsharedaccounts.Answer:CExplanation:Unrecordedsessionsviolatetheregulatoryrequirementandimpedeforensicinvestigation.Part2–Multiple-ChoiceQuestions(multipleresponses)21.WhichofthefollowingprovideSTRONGevidencethataWindowsdomainhasbeenhardenedagainstKerberoasting?(Choosetwo.)A.Alluseraccountsaresetto“Accountissensitiveandcannotbedelegated”.B.Serviceaccountsuse25-characterrandomlygeneratedpasswords.C.AES-256isthepreferredencryptiontypeforKerberostickets.D.TheKRBTGTaccountpasswordwaslastchangedtwoyearsago.E.Privilegedusersareinthe“ProtectedUsers”group.Answer:B,EExplanation:Longservice-accountpasswordsincreasethecrackingeffort,andProtectedUsersenforcesAES&blocksofflineTGTcracking.22.AnISauditorisreviewingtheuseofTLS1.3inamobilebankingapp.Whichconfigurationsensureperfectforwardsecrecy?(Choosetwo.)A.cipher-suiteTLS_AES_256_GCM_SHA384B.cipher-suiteTLS_CHACHA20_POLY1305_SHA256C.staticRSAcertificatesforkeyexchangeD.0-RTTmodeenabledE.KeyshareusingX25519Answer:A,EExplanation:TLS1.3mandatesephemeralkeyexchange;staticRSAisprohibited;0-RTTdoesnotaffectPFS.23.WhichofthefollowingarePRIMARYobjectivesofaSOC2TypeIIaudit?(Choosethree.)A.Evaluatethefairnessoffinancialstatements.B.Assesstheeffectivenessofsecuritycontrolsoveraperiod.C.Issueanopiniononavailabilitycommitments.D.DeterminecompliancewithPCIDSS.E.Validateconfidentialitypoliciesforcustomerdata.Answer:B,C,EExplanation:SOC2coverssecurity,availability,confidentiality,processingintegrityandprivacy;financialsandPCIareseparateengagements.24.AcompanyusesTerraformtoprovisioncloudinfrastructure.Whichpracticesreducetheriskofstatefiletampering?(Choosetwo.)A.StorestateinalocalJSONfileontheCIrunner.B.Enablestatefileencryptionatrestinthebackend.C.UseremotestatelockingwithDynamoDB.D.CommitthestatefiletoGitforversioncontrol.E.Applyleast-privilegeIAMonthebackendbucket.Answer:B,CExplanation:Encryptionandlockingpreventconcurrentwritesandunauthorizedalteration;localfilesandGitarevulnerable.25.WhichofthefollowingarevalidCOBIT2019governanceobjectives?(Choosethree.)A.APO01–ManagetheITmanagementframework.B.BAI01–Manageprograms.C.DSS01–Manageoperations.D.MEA01–Monitor,evaluateandassessperformance.E.APO13–Managecybersecurity.Answer:A,B,DExplanation:APO13doesnotexist;cybersecurityisembeddedacrossmultipledomains.Part3–Scenario-BasedQuestionsScenario1AregionalhospitalisdeployinganAI-assistedradiologyplatformthatprocesseschestX-raysinrealtime.Thearchitectureincludes:-EdgedevicesintheradiologyroomthatcaptureDICOMimages.-AlocalGPUserverthatrunstheinferencecontainer.-Acloud-basedtrainingpipelinethatretrainsthemodelmonthly.-Awebportalwhereradiologistsreviewandannotateresults.ThehospitalmustcomplywithHIPAA,FDA21CFRPart820,andlocaldata-residencylawsthatprohibitpatientdatafromleavingthecountry.26.Theauditorfindsthattheinferenceserverstorespatientdataonanunencryptedext4partition.WhichistheMOSTimpactfulremediation?A.Enabledm-cryptLUKSfull-diskencryption.B.MovethedatatoanencryptedS3bucket.C.Switchtoaread-onlyfilesystem.D.Hashthepatientidentifierbeforesaving.Answer:AExplanation:Full-diskencryptionprotectsdataatrestwithoutrequiringapplicationchangesandsatisfiesHIPAAsafe-harborforlostdevices.27.Thecontainerimageispulledfromapublicregistrywithoutsignatureverification.WhichcontrolshouldbeimplementedFIRST?A.RunClairvulnerabilityscanning.B.MirrorimagestoaprivateregistryandenforceDockerContentTrust.C.EnableSELinuxinenforcingmodeonthehost.D.Switchtoadistrolessbaseimage.Answer:BExplanation:Signatureverificationestablishesauthenticitybeforeanyotherhardeningmeasures.28.Thetrainingpipelineusesfederatedlearningtoavoidexportingrawimages.Whichauditfindingrepresentsaresidualprivacyrisk?A.Modelgradientscouldleakpersonalinformation.B.Thecloudregionisinadifferentcontinent.C.TheaggregationserverusesTLS1.2insteadof1.3.D.Themodelweightsarestoredinplaintext.Answer:AExplanation:Gradientinversionattackscanreconstructtrainingdataeveninfederatedsetups.29.RadiologistsauthenticateviaSAMLtothewebportal.TheIdPisoutsidethehospital’sjurisdiction.WhichcontrolBESTmitigatesjurisdictionalrisk?A.Implementanon-premisesIdPandrequirelocalauthentication.B.EncryptSAMLassertionsusingAES-256.C.RequireMFAforallIdPaccounts.D.SignSAMLassertionswithRSA-4096.Answer:AExplanation:LocalIdPkeepsauthenticationeventsandattributeswithinthecountry,satisfyingdata-residency.30.TheauditorwantstoverifythatAImodeldriftisdetectedpromptly.WhichmetricprovidestheSTRONGESTevidence?A.Weeklymanualreviewoffalse-negativerates.B.AutomatedKolmogorov-Smirnovtestoninputfeaturedistributions.C.ComparisonofGPUutilizationbeforeandafterupdates.D.Numberofhelp-deskticketsfromradiologists.Answer:BExplanation:Statisticaltestsonfeaturedriftprovidequantitative,timelydetection.Scenario2Afintechstartupoffersamobilewalletthatstorestokenizedpaymentcredentials.TheplatformisPCIDSSv4.0compliant.ArecentpenetrationtestrevealedthattheAndroidappacceptsself-signedcertificateswhenthebackendcertificateisinvalid.TheCTOarguesthatcertificatepinningisinplaceandthefindingisafalsepositive.31.WhichtestwouldCONFIRMthevulnerability?A.ProxytheappthroughBurpSuitewithaself-signedcertandcapturesuccessfulAPIcalls.B.ChecktheGooglePlaysecurityreportforunsafecipherusage.C.InspecttheAPKforthepinningimplementationsourcecode.D.ReviewtheQualysSSLLabsgradeforthebackenddomain.Answer:AExplanation:Successfultransactionwithanuntrustedcertprovesthepinningcontrolisbypassed.32.Theauditorfindsthatthetokenvaultdatabaseusestransparentdataencryption(TDE)buttheDBAcanstillexportcleartexttokens.WhichPCIrequirementisMOSTrelevant?A.Req3.5–Securecryptographickeystorage.B.Req3.4–RenderPANunreadableanywherestored.C.Req7.1–Limitaccesstoneed-to-know.D.Req8.2–Userauthenticationforaccess.Answer:CExplanation:Accesscontrol,notencryption,preventstheDBAfromviewingcleartext.33.Thestartupusesserver-sidetokenization.Whichcontrolensuresthatthetoken-to-PANmappingcannotbereconstructedbyaninsider?A.HSM-basedAESkeywrappingwithsplitknowledge.B.DailytokendatabasesnapshotsencryptedwithKMS.C.Tokenformat-preservingencryption.D.RandomlygeneratedtokenswithnomathematicalrelationshiptoPAN.Answer:DExplanation:Cryptographicallyunrelatedtokensprovideirreversibilitywithoutrelyingonkeysecrecy.34.Theauditorreviewsthemobileapp’slocalstorageandfindsJWTrefreshtokenswithexpirationsetto90days.WhichrecommendationBESTreducestheimpactofdevicetheft?A.StoretokensinAndroidKeystorewithbiometricprotection.B.Reducetokenlifetimeto24hoursandrotateviasilentrefresh.C.EncryptSharedPreferenceswithFacebookConceal.D.Requiredevicerootdetection.Answer:BExplanation:Short-livedtokenslimitthewindowofabuse;silentrefreshmaintainsUX.35.Thestartup’sincidentresponseplanincludesa“crypto-shred”procedurewherebythetokenvaultkeyisdeletedifabreachissuspected.Whichauditconcernshouldberaised?A.KeydeletionmayviolatePCIDSSkeyescrowrequirements.B.Deletioncoulddestroyevidenceneededforforensicanalysis.C.TheprocedureisnotalignedwithGDPRrighttoerasure.D.HSMsdonotsupportsecurekeydeletion.Answer:BExplanation:Destructionofthekeymayhinderinvestigationandbreachnotification.Part4–AdvancedShort-AnswerConstructedResponse36.AnISauditorisaskedtoevaluatewhetheranewroboticprocessautomation(RPA)botthatreconcilespayrolldataintroducesmaterialrisk.Thebotrunsonavirtualdesktopunderaserviceaccount,accessestheHRsystemviaSOAP,andwritesresultstoafinancedatabase.Required:a)IdentifythreecontrolobjectivesspecifictoRPApayrollreconciliation.b)Foreachobjective,provideonetestprocedureandoneartifacttoreview.Answer:a)1.Accuracyofdataextractionandtransformation.2.Authorizationandsegregationofdutiesbetweenbotcreationandapproval.3.Completenessandtimelinessofexceptionhandling.b)1.Objective:Accuracy.Test:Re-performreconciliationforasampleof50employeesandcomparebotoutputtomanuallycalculateddeltas.Artifact:Botexecutionlogwithbefore-and-aftersalaryfigures.2.Objective:Authorization.Test:Inspectchange-managementticketforbotscriptdeploymentandverifyapprovalbyHRandFinancemanagers.Artifact:SignedchangerecordinServiceNow.3.Objective:Exceptionhandling.Test:Injectinvaliddata(negativehours)intosourcefileandverifybotcreatesticketandskipsrecord.Artifact:ExceptionreportandJiraticketauto-generated.37.AmultinationalcorporationisadoptingSecureAccessServiceEdge(SASE)toreplaceMPLS.Theauditormustassesswhetherthearchitecturemaintainsthesameassurancelevelfordata-in-transitprotectionbetweenbranchofficesandtheclouddatacenter.Required:a)Listfourencryptionpointsthatmustbevalidated.b)Describehowtotesteachpoint.Answer:a)1.BranchedgetoSASEPOP(IPsecorTLS).2.SASEPOPtoSaaSapplication(TLS).3.SASEinternalbackbonebetweenPOPs(MACsecorprivatefiber).4.SASEPOPtoIaaSVPC(site-to-siteVPNorprivateVIF).b)1.UseiperfwithpacketcapturetoverifyAES-256-GCMciphersuiteandvalidateSAlifetime.2.Runssllabs-scanagainstSaaShostnameandconfirmTLS1.3withforwardsecrecy.3.RequestproviderattestationletterandinspectMACseckeyrotationschedule.4.InitiateBGPsessionoverVPNandcapturetraffictoconfirmESPencapsulation.38.Azero-trustprojectteamclaimsthatuser-to-applicationsegmentationisachievedviasoftware-definedperimeter(SDP).Theauditorneedstoverifythatlateralmovementisindeedimpossibleonceausersessionisestablished.R