Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Principles practice sets

ISC2 CC Security Principles • Complete Question Bank

ISC2 CC Security Principles — All Questions With Answers

Complete ISC2 CC Security Principles question bank — all 0 questions with answers and detailed explanations.

130
Questions
Free
No signup
Certifications/ISC2 CC/Practice Test/Security Principles/All Questions
Question 1easymultiple choice
Read the full Security Principles explanation →

Which principle of the CIA triad ensures that data is not disclosed to unauthorized individuals?

Question 2easymultiple choice
Read the full Security Principles explanation →

Which of the following is an example of a Type 2 authentication factor?

Question 3mediummultiple choice
Read the full Security Principles explanation →

An organization implements redundant servers and failover mechanisms to ensure continuous operation during a power outage. Which goal of the CIA triad is primarily being addressed?

Question 4mediummultiple choice
Read the full Security Principles explanation →

According to the (ISC)² Code of Ethics, which of the following obligations takes the highest priority?

Question 5mediummultiple choice
Read the full Security Principles explanation →

A security analyst is reviewing a log that shows an unauthorized user attempted to modify a payroll database. Which security principle is most directly threatened?

Question 6hardmultiple choice
Read the full Security Principles explanation →

A company is evaluating a new cloud service provider. As part of due diligence, they review the provider's security certifications, conduct a site visit, and check references. This process is an example of which risk management strategy?

Question 7mediummultiple choice
Read the full Security Principles explanation →

Which of the following is classified as sensitive PII?

Question 8easymultiple choice
Read the full Security Principles explanation →

Which risk management strategy involves implementing security controls to reduce the likelihood or impact of a risk?

Question 9hardmultiple choice
Read the full Security Principles explanation →

A security professional is asked to ensure that a document has not been altered since it was signed. Which technology best supports this requirement?

Question 10mediummultiple choice
Read the full Security Principles explanation →

An employee uses a password and a one-time code from a mobile authenticator app to log in. Which authentication type is being used?

Question 11mediummultiple choice
Read the full Security Principles explanation →

A vulnerability assessment reveals that a legacy system has unpatched software. The organization decides to accept the risk because the system is isolated and has compensating controls. This decision is an example of:

Question 12hardmultiple choice
Read the full Security Principles explanation →

Which of the following best describes the difference between due care and due diligence in security governance?

Question 13mediummulti select
Read the full Security Principles explanation →

A security analyst is evaluating controls to protect the confidentiality of customer data. Which TWO of the following are effective controls? (Select TWO).

Question 14hardmulti select
Read the full Security Principles explanation →

A company is implementing a data classification policy. According to best practices, which THREE of the following should be classified as 'restricted' or 'top secret'? (Select THREE).

Question 15mediummulti select
Read the full Security Principles explanation →

Which TWO of the following are examples of Type 3 authentication? (Select TWO).

Question 16easymultiple choice
Read the full Security Principles explanation →

A security professional is implementing a file integrity monitoring (FIM) system on critical servers. Which element of the CIA triad does this primarily address?

Question 17mediummultiple choice
Read the full Security Principles explanation →

A company is deploying a multi-factor authentication (MFA) solution. Which combination represents two different authentication factors?

Question 18hardmultiple choice
Read the full Security Principles explanation →

An organization decides to accept the risk of using a legacy system that cannot be patched due to critical business operations. This is an example of:

Question 19easymultiple choice
Read the full Security Principles explanation →

Which of the following is an example of a Type 2 authentication factor?

Question 20mediummultiple choice
Read the full Security Principles explanation →

According to the (ISC)² Code of Ethics, which principle has the highest priority?

Question 21mediummultiple choice
Read the full Security Principles explanation →

A data breach exposed customers' names, addresses, and Social Security numbers. Which type of data was compromised?

Question 22hardmultiple choice
Read the full Security Principles explanation →

An organization is evaluating a new vendor that will process customer data. The security team performs a thorough assessment of the vendor's security controls and background checks. This process best demonstrates:

Question 23mediummultiple choice
Read the full Security Principles explanation →

Which of the following controls is primarily designed to ensure availability?

Question 24easymultiple choice
Read the full Security Principles explanation →

A security analyst is implementing controls to prevent unauthorized disclosure of sensitive information. Which element of the CIA triad is being addressed?

Question 25mediummultiple choice
Read the full Security Principles explanation →

Which of the following best describes a vulnerability in the context of risk management?

Question 26hardmultiple choice
Read the full Security Principles explanation →

An organization labels data as 'Confidential' and requires encryption both at rest and in transit. This classification is an example of:

Question 27mediummultiple choice
Read the full Security Principles explanation →

What is the primary purpose of a digital signature?

Question 28mediummulti select
Read the full Security Principles explanation →

A security administrator is selecting controls to protect the confidentiality of a database containing customer PII. Which TWO controls are most appropriate?

Question 29hardmulti select
Read the full Security Principles explanation →

An organization is implementing a risk management strategy for a new system. Which THREE actions are examples of risk mitigation?

Question 30easymulti select
Read the full Security Principles explanation →

Which TWO of the following are examples of Type 3 (inherence) authentication factors?

Question 31easymultiple choice
Read the full Security Principles explanation →

An organization implements full-disk encryption on all laptops. Which element of the CIA triad is primarily being addressed?

Question 32mediummultiple choice
Read the full Security Principles explanation →

A security professional is asked to choose an authentication method for a high-security facility. The requirement is to use something the user 'is'. Which authentication type should be selected?

Question 33hardmultiple choice
Read the full Security Principles explanation →

After a data breach, an organization discovers that an attacker exploited a known vulnerability in an outdated web server. The organization had previously identified the vulnerability but decided not to patch it due to potential downtime. Which risk management strategy did the organization employ?

Question 34mediummultiple choice
Read the full Security Principles explanation →

Which of the following is an example of a Type 2 authentication factor?

Question 35easymultiple choice
Read the full Security Principles explanation →

An organization classifies data as 'confidential' and requires encryption at rest and in transit. Which data classification level is likely being used?

Question 36mediummultiple choice
Read the full Security Principles explanation →

A security analyst is evaluating a new vendor for cloud services. The analyst reviews the vendor's security certifications, conducts background checks, and visits the data center. This process is an example of:

Question 37hardmultiple choice
Read the full Security Principles explanation →

According to the (ISC)² Code of Ethics, if a conflict arises between protecting society and providing diligent service to your employer, which should take precedence?

Question 38mediummultiple choice
Read the full Security Principles explanation →

A company uses redundant servers and automated failover to ensure that its website remains accessible during a server outage. Which principle of the CIA triad is being addressed?

Question 39easymultiple choice
Read the full Security Principles explanation →

What is the primary purpose of hashing in information security?

Question 40mediummultiple choice
Read the full Security Principles explanation →

Which of the following is an example of a vulnerability?

Question 41hardmultiple choice
Read the full Security Principles explanation →

A company stores customer PII including social security numbers and medical records. Under privacy principles, these data elements are best described as:

Question 42easymultiple choice
Read the full Security Principles explanation →

Which of the following is a control that can reduce the risk of a DDoS attack?

Question 43mediummultiple choice
Read the full Security Principles explanation →

When implementing multi-factor authentication, which combination of factors is considered strongest?

Question 44hardmultiple choice
Read the full Security Principles explanation →

A security manager is advised to implement 'due care' in their organization. Which action best exemplifies due care?

Question 45mediummultiple choice
Read the full Security Principles explanation →

An organization wants to ensure that an email message has not been altered during transmission. Which security control should be used?

Question 46mediummulti select
Read the full Security Principles explanation →

A security professional is reviewing authentication methods. Which TWO are examples of Type 2 (possession) factors? (Select TWO)

Question 47hardmulti select
Read the full Security Principles explanation →

Which THREE of the following are considered risk management strategies? (Select THREE)

Question 48easymulti select
Read the full Security Principles explanation →

Which TWO of the following are examples of integrity controls? (Select TWO)

Question 49easymultiple choice
Read the full Security Principles explanation →

Which of the following is an example of a physical control that supports the availability principle of the CIA triad?

Question 50mediummultiple choice
Read the full Security Principles explanation →

An organization implements a policy requiring employees to use a smart card and a PIN to access the data center. This is an example of which type of authentication?

Question 51hardmultiple choice
Read the full Security Principles explanation →

A security analyst discovers that a vendor's software contains a known vulnerability that could lead to data exposure. The analyst reports this to management. According to risk management principles, which action represents risk transfer?

Question 52easymultiple choice
Read the full Security Principles explanation →

Which of the following best describes the purpose of due care in information security?

Question 53mediummultiple choice
Read the full Security Principles explanation →

A company stores customer records that include names, addresses, and Social Security numbers. According to ISC2 Code of Ethics, which canon has the highest priority when handling this sensitive data?

Question 54hardmultiple choice
Read the full Security Principles explanation →

An organization labels its financial reports as "Confidential" and requires encryption at rest and in transit. This is an example of:

Question 55easymultiple choice
Read the full Security Principles explanation →

Which of the following ensures that data has not been tampered with during transmission?

Question 56mediummultiple choice
Read the full Security Principles explanation →

A security team implements a load balancer to distribute traffic across multiple web servers. This control primarily supports which principle?

Question 57mediummultiple choice
Read the full Security Principles explanation →

Which of the following is an example of a Type 1 authentication factor?

Question 58hardmultiple choice
Read the full Security Principles explanation →

After a security breach, the organization conducts a background check on a new vendor before signing a contract. This practice is known as:

Question 59easymultiple choice
Read the full Security Principles explanation →

What is the primary goal of data classification?

Question 60mediummultiple choice
Read the full Security Principles explanation →

An organization uses a digital signature to verify the authenticity of a software update. This supports which part of the CIA triad?

Question 61mediummulti select
Read the full Security Principles explanation →

Which TWO of the following are examples of sensitive PII? (Select TWO.)

Question 62hardmulti select
Read the full Security Principles explanation →

A company is implementing risk management for a new project. Which THREE of the following are valid risk treatment options? (Select THREE.)

Question 63mediummulti select
Read the full Security Principles explanation →

Which TWO of the following are examples of multi-factor authentication? (Select TWO.)

Question 64easymultiple choice
Read the full Security Principles explanation →

An organization encrypts all sensitive data at rest and in transit. Which principle of the CIA triad is primarily being addressed?

Question 65mediummultiple choice
Read the full Security Principles explanation →

A security analyst implements a hashing algorithm to verify that a downloaded file has not been altered. Which security goal is being achieved?

Question 66hardmultiple choice
Read the full Security Principles explanation →

A multinational corporation deploys redundant servers in geographically diverse data centers and uses a load balancer to distribute traffic. This setup primarily addresses which security concern?

Question 67easymultiple choice
Read the full Security Principles explanation →

Which of the following is an example of Type 2 (possession) authentication?

Question 68mediummultiple choice
Read the full Security Principles explanation →

A user logs into a system using a password and a one-time passcode from a mobile authenticator app. This is an example of:

Question 69hardmultiple choice
Read the full Security Principles explanation →

According to the (ISC)² Code of Ethics, which canon has the highest priority?

Question 70mediummultiple choice
Read the full Security Principles explanation →

A company performs background checks on potential employees before hiring. This action demonstrates which concept?

Question 71easymultiple choice
Read the full Security Principles explanation →

Which of the following is considered sensitive Personally Identifiable Information (PII)?

Question 72mediummultiple choice
Read the full Security Principles explanation →

A security team identifies that a server has a known vulnerability. A threat actor could exploit it to gain unauthorized access. The combination of these factors represents:

Question 73hardmultiple choice
Read the full Security Principles explanation →

A company decides to accept the risk of using a legacy system because the cost of replacing it exceeds potential losses. This is an example of:

Question 74easymultiple choice
Read the full Security Principles explanation →

Which data classification level typically requires the highest level of protection?

Question 75mediummultiple choice
Read the full Security Principles explanation →

A system administrator implements version control for all configuration files. Which principle is being strengthened?

Question 76hardmultiple choice
Read the full Security Principles explanation →

During a vendor risk assessment, a company discovers that a potential vendor has poor security practices. The company decides not to hire the vendor. This is an example of:

Question 77mediummulti select
Read the full Security Principles explanation →

A security analyst is implementing controls to protect the integrity of a database. Which TWO of the following controls would best achieve this goal?

Question 78hardmulti select
Read the full Security Principles explanation →

An organization is developing a data classification policy. Which THREE of the following are common classification levels?

Question 79easymultiple choice
Read the full Security Principles explanation →

An organization implements encryption for data at rest and in transit. Which principle of the CIA triad is primarily being addressed?

Question 80mediummultiple choice
Read the full Security Principles explanation →

A security administrator is configuring a system to detect unauthorized changes to critical files by calculating and storing a hash value for each file. Which security goal is primarily supported?

Question 81hardmultiple choice
Read the full Security Principles explanation →

After a major DDoS attack, a company deploys redundant internet connections and load balancers to ensure continued access to its web services. Which principle of the CIA triad is being strengthened?

Question 82easymultiple choice
Read the full Security Principles explanation →

Which of the following is an example of Type 2 authentication?

Question 83mediummultiple choice
Read the full Security Principles explanation →

An organization requires employees to enter a password and then approve a push notification on their mobile device to access the corporate network. What type of authentication is this?

Question 84hardmultiple choice
Read the full Security Principles explanation →

A security consultant is evaluating a vendor's security practices before signing a contract. The consultant reviews the vendor's security policies, incident response plans, and conducts background checks on key personnel. This activity is an example of:

Question 85mediummultiple choice
Read the full Security Principles explanation →

According to the (ISC)² Code of Ethics, which canon has the highest priority?

Question 86easymultiple choice
Read the full Security Principles explanation →

Which of the following is considered Sensitive PII?

Question 87mediummultiple choice
Read the full Security Principles explanation →

A company classifies its data into four categories: Public, Internal, Confidential, and Restricted. Which classification requires the highest level of protection?

Question 88hardmultiple choice
Read the full Security Principles explanation →

An organization decides to accept the risk of using an older software version known to have vulnerabilities because the cost of upgrading outweighs the potential impact. This is an example of:

Question 89mediummultiple choice
Read the full Security Principles explanation →

Which of the following best describes a vulnerability in the context of risk management?

Question 90hardmultiple choice
Read the full Security Principles explanation →

A company implements a new firewall and intrusion detection system to reduce the risk of network breaches. This is an example of:

Question 91mediummulti select
Read the full Security Principles explanation →

A security analyst is designing a multi-factor authentication system for remote access. Which TWO of the following combinations represent true multi-factor authentication? (Select TWO)

Question 92hardmulti select
Read the full Security Principles explanation →

An organization is conducting a risk assessment. Which THREE of the following are considered assets? (Select THREE)

Question 93mediummulti select
Read the full Security Principles explanation →

A security policy requires that data classified as 'Confidential' must be encrypted both at rest and in transit. Which TWO of the following are likely data handling requirements for 'Confidential' data? (Select TWO)

Question 94easymultiple choice
Read the full Security Principles explanation →

Which security principle ensures that data cannot be accessed by unauthorized individuals?

Question 95easymultiple choice
Read the full Security Principles explanation →

An organization uses hashing to ensure that data has not been altered during transmission. Which security principle is being implemented?

Question 96easymultiple choice
Read the full Security Principles explanation →

Which authentication type is a smart card an example of?

Question 97mediummultiple choice
Read the full Security Principles explanation →

A company implements redundant servers to ensure that if one server fails, another can take over immediately. Which security principle is primarily being addressed?

Question 98mediummultiple choice
Read the full Security Principles explanation →

An organization requires both a password and a fingerprint scan to access a secure system. This is an example of:

Question 99mediummultiple choice
Read the full Security Principles explanation →

According to the (ISC)² Code of Ethics, which obligation has the highest priority?

Question 100mediummultiple choice
Read the full Security Principles explanation →

What is the difference between due care and due diligence in security governance?

Question 101mediummultiple choice
Read the full Security Principles explanation →

Which of the following is considered sensitive personally identifiable information (PII)?

Question 102mediummultiple choice
Read the full Security Principles explanation →

A security team identifies a vulnerability in a web application that could allow attackers to steal customer data. The team decides to accept the risk because the cost to fix exceeds the potential loss. This is an example of:

Question 103hardmultiple choice
Read the full Security Principles explanation →

An organization classifies data as 'Confidential' and requires encryption both at rest and in transit. Which data classification level best fits this requirement?

Question 104hardmultiple choice
Read the full Security Principles explanation →

What is the primary purpose of a digital signature?

Question 105hardmultiple choice
Read the full Security Principles explanation →

A company conducts a background check on a new vendor before signing a contract. This activity is an example of:

Question 106mediummulti select
Read the full Security Principles explanation →

An organization wants to implement multi-factor authentication for remote access. Which TWO of the following would provide multi-factor authentication? (Select TWO)

Question 107hardmulti select
Read the full Security Principles explanation →

Which THREE of the following are examples of risk mitigation? (Select THREE)

Question 108hardmulti select
Read the full Security Principles explanation →

An organization is developing a data classification policy. Which THREE of the following should be classified as Confidential or higher? (Select THREE)

Question 109easymultiple choice
Read the full Security Principles explanation →

Which of the following best describes the principle of confidentiality in the CIA triad?

Question 110easymultiple choice
Read the full Security Principles explanation →

Which type of authentication factor involves something the user knows?

Question 111mediummultiple choice
Read the full Security Principles explanation →

A security analyst recommends implementing digital signatures to ensure that a software update has not been altered during distribution. Which aspect of the CIA triad is primarily being addressed?

Question 112mediummultiple choice
Read the full Security Principles explanation →

An organization implements a redundant server infrastructure to ensure that services remain operational even if one server fails. This is an example of protecting which principle?

Question 113mediummultiple choice
Read the full Security Principles explanation →

Which of the following is an example of a Type 2 authentication factor?

Question 114hardmultiple choice
Read the full Security Principles explanation →

According to the (ISC)² Code of Ethics, which of the following has the highest priority?

Question 115mediummultiple choice
Read the full Security Principles explanation →

A company is evaluating a new cloud service provider and performs a thorough investigation of the provider's security practices and compliance with industry standards. This activity is best described as:

Question 116mediummultiple choice
Read the full Security Principles explanation →

Which of the following is an example of sensitive PII?

Question 117hardmultiple choice
Read the full Security Principles explanation →

In risk management, which term describes the probability that a threat will exploit a vulnerability and cause harm to an asset?

Question 118easymultiple choice
Read the full Security Principles explanation →

Which data classification level typically requires the highest level of protection and is reserved for information that could cause catastrophic harm if disclosed?

Question 119mediummultiple choice
Read the full Security Principles explanation →

A security team decides to implement multi-factor authentication for all remote access. Which combination of factors would constitute multi-factor authentication?

Question 120hardmultiple choice
Read the full Security Principles explanation →

An organization decides to purchase cyber insurance to cover potential losses from a data breach. This is an example of which risk treatment strategy?

Question 121mediummulti select
Read the full Security Principles explanation →

An organization is implementing a new access control system. Which TWO of the following are examples of Type 3 authentication factors?

Question 122hardmulti select
Read the full Security Principles explanation →

A security analyst is reviewing data handling procedures. Which THREE of the following are considered sensitive PII?

Question 123mediummulti select
Read the full Security Principles explanation →

An organization is developing a security policy. Which TWO of the following are core components of the CIA triad?

Question 124mediummultiple choice
Read the full Security Principles explanation →

A security analyst is implementing a solution to ensure that data transmitted between two servers cannot be read by unauthorized parties. Which security principle is the analyst primarily addressing?

Question 125easymulti select
Read the full Security Principles explanation →

An organization wants to implement multi-factor authentication (MFA) for remote access. Which two types of authentication factors would meet the definition of MFA? (Choose two.)

Question 126mediummulti select
Read the full Security Principles explanation →

A company is classifying data and wants to ensure that personally identifiable information (PII) receives appropriate protection. Which two of the following are considered PII? (Choose two.)

Question 127hardmulti select
Read the full Security Principles explanation →

A security team is conducting a risk assessment for a new cloud application. They have identified a vulnerability in the application that could allow unauthorized access to sensitive data. Which three risk management strategies should they consider? (Choose three.)

Question 128mediummulti select
Read the full Security Principles explanation →

A security professional is advising a company on adherence to the (ISC)² Code of Ethics. Which two of the following actions align with the Code's canons? (Choose two.)

Question 129hardmulti select
Read the full Security Principles explanation →

A financial institution is implementing data classification to protect customer information. They have identified data that includes medical records and financial account numbers. Which three labels are most appropriate for this data? (Choose three.)

Question 130easymulti select
Read the full Security Principles explanation →

An organization wants to ensure the integrity of a software update before deployment. Which two methods can be used to verify integrity? (Choose two.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

ISC2 CC Practice Test 1 — 25 Questions→ISC2 CC Practice Test 2 — 25 Questions→ISC2 CC Practice Test 3 — 25 Questions→ISC2 CC Practice Test 4 — 25 Questions→ISC2 CC Practice Test 5 — 25 Questions→ISC2 CC Practice Exam 1 — 20 Questions→ISC2 CC Practice Exam 2 — 20 Questions→ISC2 CC Practice Exam 3 — 20 Questions→ISC2 CC Practice Exam 4 — 20 Questions→Free ISC2 CC Practice Test 1 — 30 Questions→Free ISC2 CC Practice Test 2 — 30 Questions→Free ISC2 CC Practice Test 3 — 30 Questions→ISC2 CC Practice Questions 1 — 50 Questions→ISC2 CC Practice Questions 2 — 50 Questions→ISC2 CC Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security PrinciplesBusiness Continuity, Disaster Recovery, and Incident ResponseAccess Controls ConceptsSecurity OperationsNetwork SecurityBusiness Continuity, DR & Incident Response

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Principles setsAll Security Principles questionsISC2 CC Practice Hub