Domain 5: Protection of Information Assets..Why it’s the toughest + highest weight in CISA:

 

Domain 5: Protection of Information Assets..Why it’s the toughest + highest weight in CISA:

1. *Highest weight*: 27% of the exam = 41-43 questions out of 150. No other domain is heavier

2. *Most technical*: Covers cryptography, access controls, network security, endpoints, cloud, IoT, mobile security, data privacy, security monitoring. Needs both audit + IT sec depth

3. *Hardest to score*: ISACA’s pass-rate data + candidate surveys consistently rank Domain 5 as lowest scoring because:

   - Concepts overlap → access control vs network security vs crypto gets confusing

   - Scenario-heavy questions → “Auditor observes X, what’s the biggest risk?” not definitions

   - Requires hands-on knowledge, not just audit theory

Domain weight breakdown for CISA Jan 2024 syllabus:

Domain Name Weight Qs approx

**Domain 5** Protection of Information Assets **27%** 41-43

Domain 4 IS Ops & Business Resilience 23% 34-36

Domain 1 IS Auditing Process 21% 31-33

Domain 2 Governance & Mgmt of IT 17% 25-27

Domain 3 IS Acquisition/Dev/Impl 12% 18-20

Why candidates struggle most with Domain 5:

- *Breadth*: Crypto algorithms, PKI, firewalls, IDS/IPS, VPN, IAM, DLP, cloud security models all in 1 domain

- *Audit angle*: ISACA doesn’t test “how to configure firewall”. They test “what control objective, what test, what risk if missing”

- *Tricky distractors*: All options sound like good controls. You need “most effective for auditor” mindset

*Pro tip for CISA*: If you master Domain 5 + Domain 4 together = 50% of exam. Most people who fail miss passing marks due to these 2 domains.

 *Top 15 high-yield topics + tricky ISACA patterns from Domain 5: Protection of Information Assets* 👇  

Master these = you cover ∼70% of Domain 5 questions

*Top 15 High-Yield Topics for CISA Domain 5*

*1. Access Controls - IAM*

- High yield: Least privilege, segregation of duties, user provisioning/de-provisioning, role-based vs rule-based access

- Trick: ISACA asks “biggest risk” → Orphaned accounts, shared accounts, excessive privileges beat weak passwords

*2. Cryptography Basics*

- High yield: Symmetric vs Asymmetric, hashing, digital signatures, PKI, certificates, key management

- Trick: “Non-repudiation” = digital signature + PKI. “Integrity” = hashing. “Confidentiality” = encryption

*3. Network Security Controls*

- High yield: Firewall types, IDS vs IPS, VPN, VLAN, DMZ, proxy, NAC

- Trick: IPS = prevention + blocks traffic. IDS = detection + alerts only. DMZ = place public servers between 2 firewalls

*4. Security Incident & Monitoring*

- High yield: SIEM, log review, incident response phases, forensic chain of custody

- Trick: “First step after incident” = Containment, not eradication. “Best evidence” = write-blocker + hash

*5. Cloud Security - CSA CCM*

- High yield: Shared responsibility model, IaaS vs PaaS vs SaaS controls, CSP vs customer responsibilities

- Trick: Customer always responsible for data, identity, access mgmt. CSP responsible for physical + host OS

*6. Data Loss Prevention DLP*

- High yield: Network DLP vs Endpoint DLP, data classification, encryption at rest vs in transit

- Trick: Biggest risk for data leakage = misconfigured cloud storage bucket, not hackers

*7. Mobile & IoT Security*

- High yield: BYOD controls, MDM, jailbreaking risk, IoT default passwords, firmware updates

- Trick: ISACA focus = lack of centralized management is biggest risk

*8. Physical & Environmental Security*

- High yield: Mantrap, CCTV retention, fire suppression types, UPS vs generator

- Trick: Halon/CO2 = data center. Water sprinklers = office. Biggest risk = tailgating

*9. Change & Patch Management*

- High yield: Emergency changes, segregation in change mgmt, patch testing

- Trick: “Best control for unauthorized changes” = version control + code review, not just logging

*10. BCP/DRP - RTO/RPO*

- High yield: BIA, RTO, RPO, MTD, alternate sites: cold, warm, hot

- Trick: RPO = max data loss. RTO = max downtime. If RPO < backup frequency = control gap

*11. Database Security*

- High yield: SQL injection, database auditing, privileged user mgmt, encryption

- Trick: Biggest risk = SA/admin accounts not segregated from DBA duties

*12. End User Computing - Excel risk*

- High yield: EUC controls, spreadsheet risk, data input validation

- Trick: ISACA loves: “No audit trail + formula errors” = highest risk in EUC

*13. OS & Endpoint Security*

- High yield: Hardening, anti-malware, patch mgmt, endpoint detection EDR

- Trick: “Most effective control” = disable unused services/ports, not antivirus alone

*14. Data Privacy & Regulations*

- High yield: GDPR, PII, data residency, right to be forgotten, data retention

- Trick: Auditor’s role = check compliance, not define legal interpretation

*15. Vulnerability Mgmt*

- High yield: Vulnerability scan vs penetration test, risk rating CVSS, remediation prioritization

- Trick: “First step after scan” = Validate false positives. “Highest priority” = high CVSS + exposed to internet

*5 Tricky ISACA Question Patterns in Domain 5*

1. *“Most effective control from auditor view”*  

   They want preventive > detective > corrective. Least privilege > password policy > monitoring

2. *“Biggest risk” scenarios*  

   Always choose: Shared accounts > Weak password. Missing encryption > weak encryption. Orphaned account > no password expiry

3. *“First step / next step” in incident/BCP*  

   Incident: Identify → Contain → Eradicate → Recover → Lessons learned  

   BCP: BIA first, then strategy, then plan

4. *“Best evidence for court”*  

   Hash + write-blocker + chain of custody. Screenshots/logs alone = weak

5. *Cloud responsibility traps*  

   Option with “CSP ensures data encryption” is wrong. Customer ensures data encryption. CSP ensures infra encryption

*How to score 80%+ in Domain 5*

1. Think like auditor, not security admin → “What test proves control works?”

2. Memorize RTO/RPO definitions + crypto purposes 

3. Do 200+ Domain 5 practice Qs. ISACA question style > knowledge

here are *20 CISA Domain 5 case-based MCQs* with ISACA-style distractors. Do them first, then check the *Answer Key + Auditor Logic* below 👇

*Part A: 20 Practice Questions*

*1. Access Control*  

Auditor finds 20 terminated employees still have VPN access after 30 days. Biggest risk?  

A. Weak password policy  

B. Orphaned accounts  

C. No MFA on VPN  

D. Unencrypted traffic

*2. Crypto*  

Which provides non-repudiation for email?  

A. Symmetric encryption AES  

B. Hashing SHA-256  

C. Digital signature using sender’s private key  

D. SSL/TLS

*3. Network Security*  

Company has firewall + IDS. Auditor wants to test if attack traffic is blocked. Best test?  

A. Review IDS alert logs  

B. Run vulnerability scan  

C. Attempt attack and check if IPS drops packets  

D. Review firewall rule list

*4. Cloud*  

In SaaS model, who is responsible for encrypting customer data at rest?  

A. CSP only  

B. Customer only  

C. Both CSP and Customer  

D. Third-party auditor

*5. Incident Response*  

Ransomware detected on server. What is auditor’s recommended FIRST step?  

A. Restore from backup  

B. Eradicate malware  

C. Contain infected server from network  

D. Notify law enforcement

*6. DLP*  

Company stores sensitive PII in public S3 bucket with no access controls. Biggest risk?  

A. SQL injection  

B. Insider threat  

C. Data leakage due to misconfiguration  

D. Weak encryption

*7. Mobile/BYOD*  

Auditor observes employees use personal phones for email with no MDM. Biggest control gap?  

A. No antivirus on phones  

B. No centralized wipe/lock capability  

C. Weak phone PIN  

D. No VPN

*8. Physical Security*  

Data center uses water sprinklers. Auditor’s biggest concern?  

A. Fire detection delay  

B. Water damage to equipment  

C. No UPS  

D. Tailgating

*9. Change Mgmt*  

Emergency change made to production DB without testing. Best preventive control?  

A. Detailed change log  

B. Segregation: developer cannot move to production  

C. Post-implementation review  

D. Backup before change

*10. BCP*  

BIA shows RPO = 2 hours, but backups run every 6 hours. Auditor’s conclusion?  

A. Acceptable risk  

B. Backup frequency does not meet RPO  

C. RTO is too low  

D. Need hot site

*11. Database*  

DBA also has system admin rights on DB server. Biggest risk?  

A. SQL injection  

B. Lack of segregation of duties  

C. No encryption  

D. Weak password

*12. EUC*  

Finance uses complex Excel for month-end with no version control or audit trail. Biggest risk?  

A. Formula errors go undetected  

B. File size too large  

C. No password protection  

D. Slow processing

*13. OS Hardening*  

Server has 15 unused services running. Auditor’s top recommendation?  

A. Install antivirus  

B. Disable unused services/ports  

C. Increase password length  

D. Enable logging

*14. Privacy*  

Under GDPR, which is NOT a data subject right?  

A. Right to access  

B. Right to be forgotten  

C. Right to data portability  

D. Right to free software

*15. Vulnerability Mgmt*  

Vuln scan shows 100 findings. Auditor says top priority = 5 critical vulns on internet-facing web server. Reason?  

A. Highest CVSS + exposure  

B. Oldest findings  

C. Most findings on internal servers  

D. Easiest to patch

*16. Forensics*  

Auditor collects evidence from compromised laptop. Best practice for court?  

A. Take screenshots  

B. Copy files to USB, hash original  

C. Use write-blocker + hash + maintain chain of custody  

D. Email evidence to self

*17. PKI*  

User loses private key. What happens?  

A. Public key must be revoked  

B. Certificate must be revoked + new key pair issued  

C. Nothing, public key still works  

D. Only password reset needed

*18. VPN*  

Remote users connect via VPN with split tunneling enabled. Biggest risk?  

A. Slower speed  

B. Malware on home PC can enter corporate network  

C. No encryption  

D. High bandwidth cost

*19. Firewall vs Proxy*  

Which best hides internal IP addresses from internet?  

A. Packet filter firewall  

B. Stateful firewall  

C. Proxy server  

D. IDS

*20. DRP Site*  

Company chooses cold site for DRP to save cost. Auditor’s concern?  

A. Too expensive  

B. RTO will be long due to setup time  

C. No redundancy  

D. Data loss

---

*Part B: Answer Key + Auditor Logic*

1. *B* - Orphaned accounts = terminated user access. Biggest risk per ISACA > weak password

2. *C* - Non-repudiation = digital signature + private key. Hash = integrity, AES = confidentiality

3. *C* - IPS blocks. IDS only alerts. Auditor tests effectiveness, not just reviews rules

4. *B* - SaaS shared model: Customer = data + access. CSP = infra. Data encryption at rest = customer

5. *C* - IR order: Contain > Eradicate > Recover. Containment stops spread

6. *C* - ISACA favorite: Misconfigured cloud storage > hackers for data leakage risk

7. *B* - No MDM = no remote wipe. Biggest risk for lost/stolen device

8. *B* - Water + servers = damage. Data center should use gas suppression

9. *B* - Preventive control for unauthorized change = segregation. Log = detective

10. *B* - RPO 2hr but backup 6hr = gap. Can lose 4hr data

11. *B* - DBA + sysadmin = SOD violation. Can hide changes

12. *A* - ISACA EUC risk = formula errors + no audit trail. That’s #1

13. *B* - Most effective hardening = reduce attack surface by disabling services

14. *D* - GDPR rights: access, erasure, portability. “Free software” not a right

15. *A* - Prioritize by CVSS + exposure. Internet-facing + critical = first

16. *C* - Court evidence = write-blocker + hash + chain of custody. Proves integrity

17. *B* - Private key lost = certificate compromised. Must revoke + reissue

18. *B* - Split tunneling = home network connects to corp. Bridge for malware

19. *C* - Proxy masks internal IPs. Firewall filters, IDS detects

20. *B* - Cold site = no equipment. Long RTO. Cheap but slow recovery

*Score guide*: 17-20 = Domain 5 ready. 14-16 = Revise weak topics. <14 = Redo crypto + cloud + access control

www.gmsisuccess.in