Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISSPDomainsSecurity Operations
CISSPFree — No Signup

Security Operations

Practice CISSP Security Operations questions with full explanations on every answer.

60questions

Start practicing

Security Operations — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISSP Domains

Security and Risk ManagementAsset SecuritySecurity OperationsSecurity Architecture and EngineeringCommunication and Network SecuritySecurity Assessment and TestingSoftware Development SecurityIdentity and Access Management

Practice Security Operations questions

10Q20Q30Q50Q

All CISSP Security Operations questions (60)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

During a security incident, an organization's SOC team identifies a series of unauthorized access attempts from an external IP address. The incident manager needs to escalate this to the appropriate team. According to the incident response plan, which role is primarily responsible for coordinating the response and communicating with stakeholders?

2

An organization's disaster recovery plan specifies a Recovery Time Objective (RTO) of 4 hours for its critical financial application. Which disaster recovery site would be MOST appropriate to meet this RTO?

3

A forensic investigator arrives at a crime scene involving a compromised server. The server is still running. According to the order of volatility, which of the following should the investigator capture FIRST?

4

Which of the following BEST describes the difference between a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP)?

5

A SOC team is using a SIEM to correlate events from multiple sources. They want to automate responses to common threats. Which technology should they integrate to achieve security orchestration and automation?

6

An organization's data loss prevention (DLP) solution is configured to block emails containing credit card numbers. This is an example of which type of DLP control?

7

During a vulnerability management lifecycle, after vulnerabilities are identified and prioritized, what is the NEXT step?

8

Which of the following metrics is used to determine the maximum amount of data loss an organization can tolerate in a disaster?

9

An organization is implementing a change management process. Which group is responsible for reviewing and approving major changes?

10

What is the PRIMARY purpose of a chain of custody in digital forensics?

11

A SOC has three tiers: Tier 1 triages alerts, Tier 2 investigates, and Tier 3 performs advanced analysis. An alert about a potential data exfiltration using DNS tunneling is escalated from Tier 1. Which tier is BEST suited to perform deep packet inspection and memory forensics to confirm the exfiltration?

12

An organization is recovering from a ransomware attack that encrypted critical servers. The backup strategy must ensure that the Recovery Point Objective (RPO) of 1 hour is met. Which backup method is MOST appropriate?

13

A security analyst is examining a memory dump from a compromised workstation. Which TWO tools are commonly used for memory forensics?

14

An organization is updating its incident response plan. According to best practices, which THREE components should be included in the plan?

15

A company is designing a disaster recovery strategy for its e-commerce platform. The platform requires an RTO of 2 hours and an RPO of 15 minutes. Which TWO strategies would BEST meet these requirements?

16

An organization is developing an incident response plan. Which component is responsible for defining the specific conditions that constitute an incident?

17

During a digital forensics investigation, a security analyst must preserve evidence in order of volatility. Which of the following represents the correct sequence from most volatile to least volatile?

18

A company is selecting a disaster recovery site for critical applications that must be restored within 4 hours with minimal data loss. Which site type best meets these requirements?

19

A SOC analyst receives an alert from the SIEM indicating a large volume of outbound data from a sensitive database server to an external IP address. The analyst queries the SIEM and finds the server communicated with the external IP during non-business hours. Which type of incident is most likely occurring?

20

Which metric defines the maximum amount of data loss an organization can tolerate during a disaster?

21

A security team is implementing data loss prevention (DLP) to protect sensitive information. Which DLP type is best suited to monitor and block sensitive data leaving the corporate network via email or web traffic?

22

Which role in an incident response team is primarily responsible for coordinating communication with external parties, such as the media and regulators?

23

A business continuity plan (BCP) differs from a disaster recovery plan (DRP) in that the BCP primarily focuses on:

24

An organization is implementing a patch management process. Which of the following is the most critical step to ensure that patches do not disrupt critical business operations?

25

Which digital forensics tool is specifically designed for memory forensics?

26

A security analyst is reviewing SIEM logs and notices multiple failed login attempts from a single IP address followed by a successful login. The account belongs to a user in finance. Which incident category is most appropriate?

27

What is the primary purpose of a Change Advisory Board (CAB) in change management?

28

An organization is designing a security operations center (SOC) with three tiers. Which TWO of the following are typical responsibilities of Tier 1 analysts? (Select TWO)

29

During a forensic investigation, which THREE of the following are essential to maintain chain of custody? (Select THREE)

30

A company is evaluating disaster recovery strategies and wants to minimize both RTO and RPO. Which THREE options provide the best combination of low RTO and low RPO? (Select THREE)

31

Which of the following best describes the primary purpose of an incident response plan?

32

During a digital forensics investigation, which of the following data sources has the highest order of volatility?

33

An organization has a maximum tolerable downtime (MTD) of 8 hours for its critical e-commerce platform. The recovery time objective (RTO) is set to 4 hours, and the recovery point objective (RPO) is 30 minutes. Which disaster recovery strategy is most cost-effective while meeting these requirements?

34

Which of the following is the primary purpose of a Change Advisory Board (CAB)?

35

What type of DLP system monitors data in motion across the network?

36

An organization's security operations center (SOC) uses a SIEM to correlate logs. The SOC manager wants to automate response actions for low-severity alerts. Which technology would best support this goal?

37

During a forensic investigation, the investigator must ensure that evidence is properly handled and documented. What is the primary purpose of maintaining a chain of custody?

38

An organization is designing its incident response team roles. Which role is primarily responsible for collecting and preserving evidence for legal proceedings?

39

Which of the following is an example of a social engineering attack?

40

An organization wants to ensure that its critical database can be restored to a point within the last 15 minutes in case of failure. Which metric defines this requirement?

41

Which of the following is the most important factor when prioritizing vulnerability remediation in a vulnerability management program?

42

A SOC analyst at Tier 1 identifies a potential malware infection on a user workstation. What is the next step in the standard incident response process?

43

A security analyst is selecting forensic tools for an investigation. Which TWO tools are best suited for memory forensics? (Select TWO.)

44

An organization is planning its disaster recovery strategy. Which THREE options are considered recovery site types? (Select THREE.)

45

A security manager is reviewing incident categories for inclusion in the incident response plan. Which THREE of the following are common incident categories? (Select THREE.)

46

An organization is developing an incident response plan. Which component is primarily responsible for defining the criteria for escalating an incident to senior management and legal counsel?

47

During a forensic investigation, an analyst must collect volatile data in the correct order. Which of the following sequences correctly follows the order of volatility?

48

An organization has a maximum tolerable downtime (MTD) of 8 hours for a critical application. The recovery time objective (RTO) is set to 4 hours. Which of the following best describes the purpose of the RTO?

49

A SOC analyst (Tier 1) receives an alert from the SIEM indicating a potential malware infection on a critical server. According to SOC tier responsibilities, what is the analyst's primary action?

50

A company plans to implement a disaster recovery site that can be operational within 2 hours of a failure. Which type of DR site best meets this requirement?

51

Which type of digital forensics involves capturing and analyzing network traffic to investigate a security incident?

52

A security team implements a Data Loss Prevention (DLP) solution to monitor email attachments for sensitive data. Which type of DLP is being used?

53

A Change Advisory Board (CAB) is evaluating a request to implement a critical security patch. Which RACI element is typically assigned to the CAB for the 'Approve' activity?

54

Which of the following is a key difference between a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP)?

55

A security analyst is identifying incident categories for a new incident response plan. Which TWO of the following are valid incident categories according to standard IR frameworks?

56

During a forensic investigation, which TWO of the following are essential steps to maintain chain of custody?

57

A company is selecting a disaster recovery strategy for a mission-critical application. Which TWO of the following strategies provide the shortest recovery time objective (RTO)?

58

A SOC manager is designing a tiered incident response team. Which THREE of the following are standard roles in an incident response team according to industry best practices?

59

A security analyst is configuring a SIEM to improve threat detection. Which THREE of the following are essential capabilities of a SIEM system?

60

A company is implementing a Data Loss Prevention (DLP) program. Which THREE of the following are common types of DLP controls?

Practice all 60 Security Operations questions

Other CISSP exam domains

Security and Risk ManagementAsset SecuritySecurity Architecture and EngineeringCommunication and Network SecuritySecurity Assessment and TestingSoftware Development SecurityIdentity and Access Management

Frequently asked questions

What does the Security Operations domain cover on the CISSP exam?

The Security Operations domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.

How many Security Operations questions are in the CISSP question bank?

The Courseiva CISSP question bank contains 60 questions in the Security Operations domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Operations for CISSP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Operations questions for CISSP?

Yes — the session launcher on this page draws questions exclusively from the Security Operations domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISSP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CCCCSPCAS-004CISM