ISACA · IoT-Fund
Validates foundational knowledge of Internet of Things technology, covering IoT network components, sensors and actuators, middleware, physical security systems, data authentication and protection methods, and IoT architecture elements.
Questions
630
Duration
120 minutes
Passing Score
65%
Difficulty
FoundationalLast Updated
Feb 2026
Use this IoT-Fund practice exam to prepare for IoT Fundamentals Certificate with realistic questions, detailed explanations, and focused study modes. The practice bank includes 630 questions for ISACA IoT-Fund, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The ISACA IoT Fundamentals Certificate validates foundational knowledge of Internet of Things concepts and the technologies that enable IoT ecosystems. The exam assesses a candidate's understanding of IoT network architecture, the roles of sensors and actuators, middleware functionality, physical security systems, and data authentication and protection methods. It is part of ISACA's Certified in Emerging Technology (CET) Certification program, which encompasses four certificate exams — Cloud Computing Fundamentals, Blockchain Fundamentals, IoT Fundamentals, and AI Fundamentals — that together constitute the full CET credential.
The certification employs a hybrid assessment model, combining traditional knowledge-based multiple-choice questions with performance-based questions delivered in a live virtual lab environment. This approach ensures candidates can not only articulate IoT principles but also demonstrate practical skills in applying IoT technologies. The exam covers real-world IoT use cases across industries including healthcare, government, utilities, and enterprise operations, with particular emphasis on security risks and governance considerations.
The IoT Fundamentals Certificate is designed for individuals at the beginning of their IoT journey, including students, recent graduates, and career changers seeking to establish credibility in emerging technology domains. IT professionals looking to broaden their skills into IoT, as well as cybersecurity, risk, and audit professionals who need to evaluate IoT environments and their associated controls, are well-suited for this credential.
Technical and business analysts who bridge IoT technology with organizational strategy, consultants and solution architects advising on IoT implementations, and government or utility professionals working on smart infrastructure initiatives are also prime candidates. Because there are no prerequisites, the exam is accessible to anyone with a foundational interest in IoT, regardless of prior formal technology credentials.
ISACA imposes no formal prerequisites for the IoT Fundamentals Certificate. Candidates can register at any time without meeting prior educational or professional requirements, making it one of the most accessible entry points in ISACA's credentialing portfolio.
While no prior experience is required, candidates with a basic familiarity with networking concepts, general IT infrastructure, and cybersecurity principles will find the material more approachable. ISACA recommends using its official preparation resources — the self-guided online course, the lab package, and the study guide — to build the necessary foundational knowledge before attempting the exam.
The IoT Fundamentals exam consists of 60 questions delivered in a computer-based, remotely proctored format over a 2-hour time limit. Questions blend traditional knowledge-based multiple-choice items with performance-based questions set in a virtual lab environment, assessing both conceptual understanding and practical application. Candidates must achieve a passing score of 65% or higher.
The exam is administered online with continuous registration — there are no restricted testing windows. Exam eligibility is valid for 12 months from the date of registration, and appointments can be scheduled as early as 48 hours after payment. Candidates receive four total attempts within any rolling 12-month period. Rescheduling is permitted without penalty provided at least 48 hours' notice is given.
Earning the IoT Fundamentals Certificate signals to employers a verified, vendor-neutral understanding of IoT concepts validated by ISACA, a globally recognized IT governance and cybersecurity credentialing body. The certificate serves as a stepping stone toward ISACA's full Certified in Emerging Technology (CET) Certification, which requires passing all four CET-track exams (Cloud Computing, Blockchain, IoT, and AI Fundamentals) and submitting an application. Holding the CET designation positions professionals across roles such as IoT solution architect, cybersecurity analyst, IT risk consultant, technical analyst, and smart infrastructure engineer.
The IoT market continues to expand rapidly across sectors including industrial automation, healthcare, smart cities, and connected consumer devices, driving consistent enterprise demand for professionals who can evaluate IoT risk and governance. While salary data specific to this certificate is not published by ISACA, professionals who pair this credential with broader cybersecurity or cloud certifications — such as ISACA's CISM or CISA — report enhanced positioning for mid-to-senior roles in IT audit, risk management, and emerging technology advisory functions.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 630 questions.
Preview — answers shown1. An IoT device manufacturer implements Device Twins in their cloud-based IoT platform to manage thousands of distributed field devices. Each Device Twin maintains metadata, desired configuration states, and reported device states. Which three components are part of the Device Twin data structure? (Select three!)
Multiple correct answersExplanation
Device Twins (or Device Shadows) consist of three main components: Tags are backend-only metadata used for device organization, grouping, and queries without being visible to devices. Desired Properties represent the configuration the backend wants the device to adopt, sent from cloud to device. Reported Properties contain the device's current state and capabilities reported from device to cloud. Firmware binary images are stored separately in blob storage, not within the Device Twin JSON document which only stores configuration and state metadata. Audit logs are maintained in separate logging systems, not as part of the twin structure. Historical telemetry data is stored in time-series databases, while Device Twins maintain only current state, not historical data.
2. An enterprise implements FAIR (Factor Analysis of Information Risk) methodology for IoT risk assessment. FAIR quantifies risk in monetary terms using two primary components. Which two components does FAIR analyze to calculate risk? (Select two!)
Multiple correct answersExplanation
Loss Event Frequency (LEF) and Probable Loss Magnitude (PLM) are the two primary components in FAIR methodology. LEF estimates how often loss events will occur, while PLM estimates the financial impact when events occur. Risk is calculated by multiplying these components to produce monetary risk values that support business decisions. Security control effectiveness contributes to LEF calculation but is not a primary component. Threat actor sophistication influences LEF but FAIR focuses on event frequency and magnitude. Vulnerability severity score from CVSS is a separate scoring system, while FAIR converts risks to financial terms through LEF and PLM.
3. An IoT device development team selects an embedded operating system for resource-constrained sensor nodes with 32KB RAM and 128KB flash storage. The application requires IPv6 networking, multi-threading capability, and active open-source community support. Which IoT operating system best matches these requirements? (Select one!)
Explanation
RIOT OS provides real-time multi-threading capabilities specifically designed for resource-constrained IoT devices, supports IPv6 networking through 6LoWPAN, runs on devices with 32KB RAM, and maintains active open-source development. Contiki OS supports networked constrained systems with IPv6 but uses protothreads (cooperative multitasking) rather than true multi-threading. Ubuntu Server and Fedora IoT are general-purpose Linux distributions requiring significantly more resources (gigabytes of RAM and storage) than available on constrained embedded devices with 32KB RAM.
4. An RPL-based sensor network experiences routing loops after a DODAG root failure. Network administrators analyze node rank values to identify the issue. Which statement correctly describes how rank prevents loops in RPL? (Select one!)
Explanation
In RPL, rank represents a node's distance from the DODAG root and must strictly decrease when moving upward toward the root. This ensures packets traveling upward come from nodes with higher rank values. Rank must strictly increase when moving downward away from the root. This monotonic relationship prevents routing loops by ensuring parent nodes always have lower rank than their children. Nodes at different distances from the root have different rank values based on their position. Rank is calculated using objective functions based on metrics like hop count or link quality, not randomly assigned.
5. A logistics company implements LoRaWAN Class A devices for cargo container tracking. The devices send location updates every 2 hours and must minimize power consumption to achieve 5-year battery life. After each uplink transmission, the device must briefly listen for potential downlink commands from the network server. How many receive windows does a LoRaWAN Class A device open after each uplink transmission? (Select one!)
Explanation
LoRaWAN Class A devices open exactly two short receive windows after each uplink transmission: RX1 opens 1 second after uplink completion and RX2 opens 2 seconds after uplink completion. This is the defining characteristic of Class A operation, providing the lowest power consumption since devices sleep between transmissions and only listen briefly after uplinks. This bi-directional communication allows downlink commands while maintaining very low power usage suitable for battery-powered sensors. Class A devices do not maintain continuous receive windows; continuous listening is a Class C characteristic trading power consumption for immediate downlink capability. Three receive windows are not part of the LoRaWAN specification; the protocol defines two specific windows with defined timing. Class A devices must support downlink communication; transmit-only devices would violate the LoRaWAN specification and prevent network management functions like firmware updates and configuration changes.
Certified Information Security Manager (CISM)
CISM · 1196 questions
Certified Information Systems Auditor (CISA)
CISA · 895 questions
Certified in Risk and Information Systems Control (CRISC)
CRISC · 761 questions
Certified Data Privacy Solutions Engineer (CDPSE)
CDPSE · 749 questions
IT Audit Fundamentals Certificate
IT-Audit-Fund · 627 questions
IT Risk Fundamentals Certificate
Risk-Fund · 616 questions
$17.99
One-time access to this exam