Objectives in this domain

Evaluate IT components, IT asset management and end-user computing including shadow IT.
Section 4.1easy
Assess job scheduling, production process automation and system interfaces.
Section 4.1medium
Evaluate systems availability and capacity management, problem and incident management, and IT change, configuration and patch management.
Section 4.1medium
Assess operational log management, IT service level management and database management.
Section 4.1medium
Evaluate business impact analysis and system and operational resilience.
Section 4.2hard
Assess data backup, storage and restoration, business continuity plans and disaster recovery plans.
Section 4.2medium

Sample question from this domain

Free sampleInformation Systems Operations and Business Resilienceeasy

An IS auditor is reviewing the IT asset management process at a logistics firm and finds that the configuration management database (CMDB) records hardware ownership, location, and warranty status, while the software asset register records licence entitlements and deployment counts. Which statement BEST describes how these two records should relate within a mature IT asset management programme?

AThe software asset register should be reconciled against the CMDB so that entitlements are compared with deployments and unsupported or unlicensed software is identified. Correct
BThe CMDB should replace the software asset register because configuration items already include installed software components and their version data.
CThe two records should remain independent to preserve segregation of duties between operations staff who maintain the CMDB and procurement staff who maintain the licence register.
DThe CMDB should be updated only when a software audit by the vendor is announced, so that the operational record matches the entitlement position at that moment.

Recognise that periodic reconciliation between the software asset register and the CMDB is the primary control for identifying licensing and deployment exposures. Software asset management relies on comparing contractual entitlements with actual deployments. The software asset register captures rights granted by licences, while the CMDB captures the operational footprint. Without reconciliation, an organisation cannot evidence licence compliance, plan renewals, or detect unsupported software that increases security and continuity risk.

Why A is correct: Reconciling entitlements held in the software asset register against deployment data in the CMDB is the recognised control that surfaces under-licensing, over-licensing, and unsupported versions, satisfying both audit and compliance objectives.

Why B is wrong: This is tempting because the CMDB does record installed software as configuration items; however, a CMDB tracks operational state for service management, not licence entitlements or contractual rights, so it cannot satisfy software asset management obligations on its own.

Why C is wrong: Segregation of duties applies to who can authorise and record asset changes, not to whether two registers may be reconciled; keeping the records permanently disconnected defeats the purpose of asset management.

Why D is wrong: Updating the CMDB only in response to vendor audits is reactive and undermines day-to-day service management; the CMDB must reflect the current operational state continuously, regardless of audit timing.

Other domains in this exam

Information Systems Auditing Process18% of the exam
Governance and Management of IT18% of the exam
Information Systems Acquisition, Development and Implementation12% of the exam
Protection of Information Assets26% of the exam

See also the CISA cert hub, the study guide, and the cheat sheet.