Free CPA ISC (Information Systems & Controls) Practice Questions

D is correct. A fingerprint scan is a biometric authentication factor classified as 'something you are.' Biometric factors are based on unique physical or behavioral characteristics of the individual, including fingerprints, retinal patterns, iris scans, facial recognition, voiceprints, and behavioral biometrics. These characteristics are inherent to the person and cannot be easily shared or transferred.
A is incorrect because 'something you know' refers to knowledge-based factors like passwords and PINs, not physical characteristics.
B is incorrect because 'something you have' refers to physical objects in the user's possession, not biological traits.
C is incorrect because 'somewhere you are' is a location-based factor, not a biometric characteristic.

A is correct. A SOC 2+ engagement includes the standard Trust Services Criteria plus additional criteria from other frameworks such as HIPAA, NIST Cybersecurity Framework, ISO 27001, or the Cloud Security Alliance STAR framework. The additional criteria are mapped alongside the Trust Services Criteria, allowing the service organization to demonstrate compliance with multiple standards in a single report.
B is incorrect because SOC 2+ does not replace the Trust Services Criteria; it supplements them with additional frameworks.
B is incorrect because the system description remains a required element in SOC 2+ engagements.
C is incorrect because SOC 2+ is not restricted to any specific industry; any service organization can elect to include additional criteria relevant to its operations.

A is correct. NIST CSF and ISO 27001 are complementary. NIST CSF provides a flexible, risk-based structure organized around five functions that works well for strategic cybersecurity governance. ISO 27001 provides a prescriptive ISMS with specific Annex A controls that can be audited and certified. By using NIST CSF as the overarching risk management framework and mapping its categories and subcategories to specific ISO 27001 controls, the organization achieves both strategic risk management and certifiable compliance.
D is incorrect because NIST CSF offers valuable strategic risk management capabilities that ISO 27001 alone does not fully address, and using both is industry best practice.
C is incorrect because artificially separating technical and administrative controls between frameworks creates gaps and misses the benefit of integrated mapping.
B is incorrect because SOC 2 Trust Services Criteria serve a different purpose (service organization assurance) and do not replace enterprise cybersecurity frameworks.