CISA interview questions [updated 2019]

Tyra Appleby
July 11, 2019 by
Tyra Appleby

The Certified Information System Auditor (CISA) exam is based on security controls related to IT infrastructure. A CISA certification increases the likelihood of being asked to interview for a variety of jobs in the cybersecurity realm. These include: information security architect, information security analyst, information system auditor, IT compliance analyst, and more.

Interview Questions

Below is a list of questions you could encounter in an interview.

What is an RFC?

A request for change (RFC) is a process that sets up authorization for changes to the system. The CISA auditor must be able to identify and respond when changes could harm the security of the network. The RFC keeps track of any current and former changes to a system.

What are some pitfalls of virtualized systems?

Working in the cloud gives people the advantage of working anywhere, but virtualization also leaves people open to security hacks such as man in the middle attacks, keyloggers and hackers that gain access to the main account where data is stored.

What is change management?

Change management is usually a group of people who are in charge of identifying the risk and impact of system changes. The CISA will be responsible for identifying risks of changes that affect security.

What happens when a change damages a system or doesn’t roll out as planned?

The CISA and other change management personnel are responsible for calling a rollback. All changes should have a rollback plan in case something goes wrong with the deployment.

What types of processes can you add to deployment plans to help security?

Have developers fill out forms to identify each change and document which systems are being changed during the deployment plan.

What are some security systems in place to protect from unauthorized traffic?

Firewalls protect the internal network at the router or server level. Antivirus software stops virus software from installing, and penetration testing systems run scripts to identify any potential threats to the network.

What is the purpose of a CISA audit trail?

Audit trails allow you and the company to track systems with sensitive information. Audit trails are mainly used to track which user accessed data and track the time the data was accessed. These trails can help companies identify improper use of private data.

What are some ways that companies can lose data?

Hackers and malware are the two primary ways data is lost. Other reasons include unhappy or dishonest employees, accidental data leaks or stolen property such as laptops.

What is the standard protocol of the Internet?

The TCP/IP protocol is used by the Internet and most internal networks.

How can a CISA auditor get a better idea of how the system works?

Talk to management, read documents, watch processes performed by other employees and read system logs and data.

What is a BIA and what is it used for?

The Business Impact Analysis, which is useful in creating the Business Continuity Plan.

In evaluating the use of a biometric system in an environment that has high security requirements, what is an item that is important to consider?

The false-acceptance rate.

Which control should be implemented when granting account access to third-party vendors?

Creating a temporary account that has a set expiration date and limited access.

Describe a honeypot

A security device used to deflect unauthorized access by creating an enticing trap containing data that appears legitimate.

What is a disadvantage of using long asymmetric encryption keys?

Even though asymmetric encryption technology is generally more secure, it is a slower method and increases the overhead costs.

You’re an auditor evaluating the network of a company that provides wireless access for a fee, requiring them to process financial data. The company’s wireless network connection has implemented the use of SSL and WTLS. What is one of the top concerns?

That a hacker may compromise the WAP gateway.

When an auditor evaluates an IT system, what user features should be evaluated?

The auditor should ensure all users have access to system documentation and user guides.

Auditors are used to review security controls and policy. What are the pitfalls of inadequate control implementation and policy definitions?

Giving users unauthorized accesses, increasing the likelihood of a breach, improper load balancing or other poor network configurations can cause bottlenecked or degraded performance, data exfiltration, or noncompliance.

What are other benefits to having continuous auditing?

It improves the overall security posture of an organization.

What is the BCP?

The Business Continuity Plan (BCP) is the written organizational policy used in incident response. In writing the BCP, the Business Impact Analysis is analyzed and a risk assessment is performed to determine potential risks to the organization and the best way to mitigate those risks based on the company’s needs.

What is sociability testing?

A type of test performed to determine if an application is working as expected in a specified environment.

Name two types of backup methods used for remote backup sites

Shadow file processing and electronic vaulting.

What is the CA used for? And what processes can it delegate?

The CA is the certificate authority in PKI technology. It issues the certificates. The CA is able to delegate the process of establishing a link between the requesting entity and its public key.

What is the purpose of network encryption?

To protect the confidentiality of information that passes through the network.

When you find a flaw in the system while performing an audit, what is the best response?

Auditors do not fix system flaws, they are noted in the final report and submitted to the system owners for their review. It is their duty to determine what to do concerning the flaw.


Because the CISA exam proves knowledge in auditing techniques, it is important to understand the overall job duties of an auditor. An interviewer could ask a range of questions about the auditing process. This could include how to ensure the organization has implemented the required controls onto the system, types of scanning tools to use, the process to manually review controls, understanding firewall or IPTables rules and what should be included in a Disaster Recovery or Business Continuity Plan. They will ask many scenario-based questions to understand your thought process and see if you know how to implement your knowledge in real-world situations.

For more on the CISA certification, view our CISA certification hub.

Tyra Appleby
Tyra Appleby

Tyra Appleby is a CISSP certified lover of all things cybersecurity. After serving 4 years in the Navy as a Cryptologic Technician, she continued supporting various DoD and government agencies as a Systems Security Engineer. She has a passion for writing and research, particularly in the areas of Reverse Engineering and Digital Forensics. When she’s not working, you can find her at the beach with her Rottweiler Ava.