ISACA CCOA Sample Questions & Practice Test

ISACA Certified Cybersecurity Operations Analyst (CCOA) is a security-operations route for candidates who need to triage alerts, preserve evidence, escalate incidents, and connect technical signals to business risk.

These original sample questions preview the SOC-style reasoning a full IT Mastery route should use. They are not official ISACA exam questions.

What this route should test

• alert triage, incident categorization, and escalation timing
• evidence preservation, log interpretation, and communication quality
• vulnerability prioritization and remediation follow-up
• operational judgment under incomplete information

Sample Exam Questions

Question 1

Topic: alert triage

A SIEM alert shows impossible travel for a privileged account and a successful login from an unfamiliar country. What should be done first?

• A. Delete the account immediately without evidence
• B. Validate the alert, review account activity, and follow the incident-response escalation process
• C. Ignore the alert because the login succeeded
• D. Disable all monitoring rules

Best answer: B

Explanation: Privileged-account anomalies need rapid validation and escalation. Analysts should preserve evidence and follow the process rather than acting blindly.

Question 2

Topic: evidence

Why should an analyst preserve raw logs before changing affected systems?

• A. To make reports longer
• B. To avoid learning what happened
• C. To replace containment
• D. To maintain evidence integrity and support investigation

Best answer: D

Explanation: Logs can be overwritten or altered during response. Preserving evidence supports root-cause analysis, reporting, and potential legal or compliance needs.

Question 3

Topic: phishing

Several users report the same suspicious link. One user entered credentials. What is the best next step?

• A. Contain the credential risk, identify affected users, block indicators, and investigate access logs
• B. Thank users and close the ticket
• C. Delete all messages without reviewing headers
• D. Wait until more users are affected

Best answer: A

Explanation: Credential entry changes the risk level. Response should include containment, indicator blocking, user scope, and access review.

Question 4

Topic: vulnerability priority

A critical vulnerability is exploitable remotely on an internet-facing system. What should drive priority?

• A. Alphabetical order of system names
• B. The age of the ticket only
• C. Exploitability, exposure, business impact, and compensating controls
• D. Whether the system owner is nearby

Best answer: C

Explanation: Vulnerability risk combines severity, exploitability, exposure, asset value, and available controls.

Question 5

Topic: containment

Malware is actively communicating with a known command-and-control host. What is the best initial action?

• A. Ignore the traffic because the host is still running
• B. Contain affected systems while preserving evidence and begin eradication planning
• C. Format every server immediately
• D. Delete the firewall logs

Best answer: B

Explanation: Active malicious communication requires containment. Evidence and scope should be preserved before eradication.

Question 6

Topic: escalation

An incident may involve regulated personal data. What should the analyst do?

• A. Notify customers personally without approval
• B. Hide the incident from management
• C. Delete the affected records
• D. Escalate according to breach-response, legal, privacy, and communications procedures

Best answer: D

Explanation: Potential data exposure has legal and privacy implications. Analysts should escalate through approved procedures.

Question 7

Topic: false positives

A detection rule generates many alerts that are consistently benign. What should the SOC do?

• A. Tune the rule using evidence while ensuring real threats are still detected
• B. Disable the SIEM
• C. Ignore all alerts forever
• D. Delete the detection logic without review

Best answer: A

Explanation: Tuning should reduce noise without losing coverage. Evidence and testing are needed before changing detection logic.

Question 8

Topic: endpoint response

An endpoint shows suspicious PowerShell execution. Which evidence is most useful?

• A. Desk location only
• B. Monitor size
• C. Command line, parent process, user, timestamp, network connections, and file changes
• D. Printer queue length

Best answer: C

Explanation: Process lineage, command arguments, user context, and related activity help determine whether execution is malicious or authorized.

Question 9

Topic: communication

During a major incident, what should status updates include?

• A. Speculation stated as certainty
• B. Known facts, impact, containment status, next steps, and uncertainty where applicable
• C. Blame before facts are known
• D. Technical jargon only

Best answer: B

Explanation: Good incident communication is factual, concise, and clear about scope, impact, actions, and unknowns.

Question 10

Topic: indicators

Which item is an indicator of compromise?

• A. The building address
• B. The keyboard model
• C. The company holiday calendar
• D. A known malicious IP observed in outbound connections

Best answer: D

Explanation: IOCs include artifacts such as malicious IPs, domains, hashes, file paths, registry keys, and behavior patterns linked to compromise.

Question 11

Topic: lessons learned

What is the purpose of a post-incident review?

• A. Identify root causes, control gaps, response improvements, and remediation owners
• B. Assign blame without evidence
• C. Delete the incident record
• D. Prove no future incident can occur

Best answer: A

Explanation: Lessons learned should improve prevention, detection, response, communication, and recovery.

Question 12

Topic: log gaps

An analyst cannot determine whether data was accessed because logs were not enabled. What should be reported?

• A. No issue because missing logs prove nothing happened
• B. A guarantee that no data was touched
• C. A visibility gap that limits investigation and should be remediated
• D. Only a request for a new dashboard color

Best answer: C

Explanation: Missing logs reduce assurance and investigation quality. The finding should focus on visibility and remediation.