The Pattern Lab
Every ISC question is one of 13 recurring patterns. Learn to spot each one, run its playbook, and clear them all. Each pattern has a recognition guide and a cross-topic drill.
Patterns cleared
0 / 13Information systems and data management
IT governance and the SDLC change pipeline, general versus application controls, and the data life cycle from keys to quality.
The Governance Mandate
Governance sets direction and keeps accountability: management still owns outsourced controls, and incompatible IT duties stay split.
8 questions
The Change Pipeline
Code moves through the SDLC under change control: users test, someone independent migrates, and emergency fixes get logged after the fact.
8 questions
The Control Classifier
Sort the control: general controls govern the whole IT environment, application controls guard one system's input, processing, and output.
8 questions
The Data Backbone
Structure, store, and check the data: primary and foreign keys relate the tables, and the quality dimensions decide whether it can be trusted.
8 questions
Security and system resilience
Continuity and recovery objectives, the security frameworks and CIA triad, access control, and the threat and incident lifecycle.
The Resilience Plan
Continuity planning sets two clocks and a site: RTO is downtime tolerated, RPO is data loss tolerated, and the site speed must match.
8 questions
The Security Foundation
Anchor to the fundamentals: the CIA triad names the goal, and the framework question is COBIT versus NIST CSF versus ISO 27001.
8 questions
The Access Gate
Prove identity, then grant the least access: authentication uses factors, authorization uses roles, and termination triggers prompt deprovisioning.
8 questions
The Threat Taxonomy
Name the threat precisely: a worm self-propagates, a vulnerability is a weakness not an attack, and a zero-day has no patch yet.
8 questions
The Incident Playbook
Run the incident lifecycle in order: detect, contain, eradicate, recover, then learn, and keep the forensic chain of custody intact.
8 questions
Confidentiality and privacy
Privacy versus confidentiality, the de-identification spectrum, and the regulatory regimes with their breach-notification clocks.
SOC engagements
Selecting the right SOC report and trust services category, the roles and mechanics of the engagement, and the reporting opinion.
The SOC Selector
Match scenario to report: SOC 1 for financial reporting, SOC 2 restricted, SOC 3 public, then pick the Type and trust services category.
8 questions
The SOC Mechanics
Know the roles and ownership: the service organization writes the description and assertion, the auditor opines, and CUECs sit with the user.
8 questions
The SOC Opinion
Grade the opinion by severity: unmodified when fair, qualified for a limited problem, adverse when pervasive, disclaimer when scope is lost.
8 questions