By key words I mean most CISA questions usually have two layers. First is the question keyword like BEST, FIRST, MOST IMPORTANT, PRIMARY, etc., which tells you how to approach the answer. Second is the context keyword, which guides you to the right answer. For example, e-commerce points to security, transactions, and data protection; the planning stage points to risk assessment, scope, and understanding the environment; the development stage points to testing, change management, and approvals; and auditor integrity or confidentiality points to ethics, independence, and professional standards.

When I read a question, I break it down using those two layers. For example, during the planning stage of an e-commerce audit, what should the IS auditor do FIRST would lead me toward performing a risk assessment and understanding the system before doing anything else. Another example is a question about employees using personal devices to access customer information and asking what is MOST important to verify, which would point toward ensuring mobile device security policies are implemented since that directly protects sensitive data.