Isaca Updated CISA Exam Questions and Answers by kaiden

The best way to facilitate the legal process in the event of an incident is to preserve the chain of custody of the evidence. The chain of custody is a record of who handled, accessed, or modified the evidence, when, where, how, and why. The chain of custody helps to ensure the integrity, authenticity, and admissibility of the evidence in a court of law. The chain of custody also helps to prevent tampering, alteration, or loss of evidence that could compromise the investigation or the prosecution. References:

CISAReview Manual (Digital Version)

CISA Questions, Answers and Explanations Database

For an organization that has plans to implement web-based trading, it would be most important for an IS auditor to verify that the organization’s information security plan includes security requirements for the new application. Security requirements are statements that define what security features and functions are needed to protect the confidentiality, integrity, and availability of the web-based trading application and its data. Security requirements should be identified and documented during the planning phase of the application development life cycle, before any design or coding activities take place. Attributes for system passwords, security training prior to implementation, and firewall configuration for the web server are also important aspects of information security, but they are not as essential as security requirements for ensuring that the web-based trading application meets its security objectives.

The primary objective of a disaster recovery plan is recovery of interrupted IT-related activities in a way that minimizes the impact of the disruption. Official ISACA definitions describe disaster recovery as activities and programs designed to return the enterprise to an acceptable condition and restore critical business functions through a DRP. ISACA’s glossary defines a disaster recovery plan (DRP) as a set of human, physical, technical, and procedural resources to recover an interrupted activity within a defined time and cost.

Among the answer choices, A. Minimizing loss of information is the best match. ISACA guidance states that a DRP contains procedures for restoring systems and data, minimizing loss of information and downtime, and ensuring business continuity. This makes option A the strongest answer because it captures a direct purpose of the DRP itself.

Option B (“Assessing the risk of key applications”) is an important planning activity, but it is not the primary objective of the DRP. Risk assessment is part of developing continuity capability, not the ultimate aim of the plan. ISACA continuity guidance treats assessing risks and impacts as a step in the DRP process, not the main end goal.

Option C (“Identifying key business processes”) is also an important prerequisite, typically associated more with business impact analysis and business continuity planning. It helps define what must be protected and restored, but it is not itself the primary objective of the DRP. ISACA distinguishes business continuity activities from disaster recovery, with DR focusing more specifically on restoring IT systems, infrastructure, and data after disruption.

Option D (“Documenting all IT assets”) may support recovery preparedness, but this is clearly not the primary objective of a DRP. Asset documentation is administrative and supportive; the goal of the plan is restoration and recovery with minimal disruption and data loss.

Therefore, A is the correct answer because official ISACA material directly states that the DRP is intended to restore systems and data while minimizing loss of information and downtime.

References (Official ISACA):

ISACA Glossary, Disaster Recovery (DR) and Disaster Recovery Plan (DRP) definitions.

ISACA Now Blog, Disaster Recovery and Business Continuity Preparedness for Cloud-Based Start-Ups — states that a DRP includes restoring systems and data, minimizing loss of information and downtime, and ensuring business continuity.

ISACA Journal, Working Toward a Managed, Mature Business Continuity Plan — distinguishes DR as focusing on rebuilding/recovering site, infrastructure, and data.

ISACA Journal, Information System Contingency Planning Guidance — supports that planning activities such as risk awareness are part of planning, not the primary objective itself.