Practice CISSP Security and Risk Management questions with full explanations on every answer.
Start practicing
Security and Risk Management — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An organization is implementing a new access control system. Which of the following represents the correct order of the AAA framework components?
2A security analyst is evaluating the risk of a data breach. The asset value of the database is $100,000, and the exposure factor is 0.5. If the annual rate of occurrence is 0.2, what is the annualized loss expectancy (ALE)?
3Under the ISC2 Code of Ethics, which canon takes precedence over all others?
4A company is migrating its critical application to a cloud provider. Which disaster recovery strategy provides the shortest recovery time objective (RTO) and recovery point objective (RPO)?
5Which governance framework provides guidance specifically for aligning IT services with business needs and includes a service lifecycle?
6In a qualitative risk assessment, a risk with a likelihood rating of 'High' and an impact rating of 'Critical' would typically fall into which category?
7Which of the following is an example of a security policy?
8Under GDPR, which of the following is a valid lawful basis for processing personal data?
9A hospital is subject to HIPAA. Which of the following is required when sharing protected health information (PHI) with a third-party billing company?
10In a quantitative risk analysis, if the single loss expectancy (SLE) is $15,000 and the annual rate of occurrence (ARO) is 0.5, what is the annualized loss expectancy (ALE)?
11Which of the following is a key objective of a business impact analysis (BIA)?
12Under the Sarbanes-Oxley Act (SOX), which of the following is an example of an IT general control that supports financial reporting?
13A security manager is choosing a risk response for a high-impact, high-likelihood risk. Which TWO responses are most appropriate? (Select TWO)
14Which THREE of the following are data subject rights under the GDPR? (Select THREE)
15A company is implementing PCI DSS compliance. Which THREE requirements are part of the PCI DSS? (Select THREE)
16Which of the following is the primary purpose of the CIA triad in information security?
17An organization is implementing a new access control system. The security team wants to ensure that users cannot deny having performed an action. Which security principle is being addressed?
18A company uses a qualitative risk analysis matrix where likelihood ranges from 1 to 5 and impact ranges from 1 to 5. A risk with a likelihood of 4 and an impact of 5 would fall into which risk level if the matrix defines high risk as scores above 15, medium as 10-15, and low as below 10?
19During a business impact analysis (BIA), the recovery point objective (RPO) for a critical database is determined to be 2 hours. What does this mean?
20Which of the following is a key requirement under the GDPR regarding personal data breaches?
21According to the ISC2 Code of Ethics, which of the following canons has the highest priority when resolving an ethical dilemma?
22A security manager is calculating the annual loss expectancy (ALE) for a server valued at $50,000. The exposure factor (EF) is 40%, and the annual rate of occurrence (ARO) is 0.5. What is the ALE?
23Under the PCI DSS, which of the following best describes a 'cardholder data environment' (CDE)?
24Which component of the AAA framework is responsible for determining what resources a user can access and what actions they can perform?
25An organization is implementing a BCP. After completing the BIA, which of the following is the next logical step in the planning process?
26Which of the following is a key difference between a policy and a guideline in information security governance?
27A healthcare organization covered by HIPAA wants to share protected health information (PHI) with a third-party billing service. What must be in place to comply with HIPAA?
28A security auditor is reviewing an organization's governance framework. Which TWO of the following are commonly used frameworks for IT governance and security management?
29A company is recovering from a ransomware attack. Which THREE of the following are key considerations when restoring data from backups to ensure integrity and minimal downtime?
30Which TWO of the following are examples of risk response strategies?
31Which of the following is the PRIMARY purpose of the confidentiality principle in the CIA triad?
32An organization is implementing a new governance framework to align IT with business goals. Which framework is specifically designed for IT service management?
33A security team is performing a quantitative risk analysis for a server valued at $100,000. The exposure factor is 0.4 and the annual rate of occurrence is 2. What is the annualized loss expectancy (ALE)?
34Under the GDPR, what is the maximum time frame for notifying the supervisory authority of a personal data breach?
35Which of the following is the correct order of priority for the ISC2 Code of Ethics Canons?
36A security analyst is evaluating risks using a qualitative matrix. The likelihood is rated as 'high' and the impact as 'medium'. What is the overall risk level typically assigned in a 3x3 matrix?
37Which document provides detailed step-by-step instructions for performing a specific security task?
38A company decides to purchase cyber insurance to cover potential losses from data breaches. Which risk response strategy does this represent?
39Under HIPAA, what is the primary purpose of a Business Associate Agreement (BAA)?
40Which of the following is the PRIMARY goal of a Business Impact Analysis (BIA) in business continuity planning?
41A company is implementing PCI DSS compliance. Which requirement is related to protecting cardholder data at rest?
42An organization has identified a risk with a high likelihood and high impact. Management decides to implement controls to reduce the likelihood. After controls, the risk is reassessed as medium likelihood and medium impact. What is the residual risk?
43Which TWO of the following are lawful bases for processing personal data under the GDPR? (Select two)
44Which THREE of the following are key components of a disaster recovery plan for a hot site? (Select three)
45Which TWO of the following are examples of non-repudiation controls? (Select two)
46A security analyst is evaluating the risk of a data breach in a healthcare organization. The asset value of the patient database is $500,000, and the exposure factor is 0.2. The annual rate of occurrence is estimated at 0.1. What is the annualized loss expectancy (ALE)?
47Which of the following is the correct order of the ISC2 Code of Ethics canons from highest to lowest priority?
48An organization is implementing a new access control system. They want to ensure that users are who they claim to be, that actions can be traced to individuals, and that access rights are managed appropriately. Which framework encompasses all three of these goals?
49Under the GDPR, a data controller experiences a personal data breach that is likely to result in a risk to the rights and freedoms of individuals. What is the maximum time frame within which the controller must notify the supervisory authority?
50Which type of risk remains after management has implemented controls to mitigate the identified risks?
51A financial institution is required to comply with SOX. Which of the following is a key focus area for IT under SOX?
52During a business impact analysis (BIA), which metric represents the maximum amount of time a business process can be disrupted before causing significant harm to the organization?
53In qualitative risk analysis, a risk is assessed with a likelihood of 4 (on a scale of 1-5) and an impact of 5. The risk matrix defines scores of 15-25 as high. What is the risk rating?
54Which document is mandatory, high-level, and sets the direction for security within an organization?
55Under HIPAA, a covered entity must have a Business Associate Agreement (BAA) with which of the following?
56An organization wants to avoid a particular risk entirely by not engaging in the activity that creates the risk. Which risk response strategy is being used?
57Which component of the CIA triad ensures that information is not disclosed to unauthorized individuals, entities, or processes?
58A company is designing a disaster recovery plan. They need to recover critical systems within 4 hours and lose no more than 15 minutes of data. Which combination of RTO and RPO should be specified?
59Which governance framework is specifically designed to help organizations manage and protect their information assets by providing a comprehensive set of controls based on a risk management approach?
60A company is implementing a hot site as a disaster recovery option. Which of the following best describes a hot site?
61A security officer is developing a risk management plan. Which TWO of the following are valid risk response strategies? (Select TWO.)
62Under the GDPR, which THREE of the following are rights of data subjects? (Select THREE.)
63In the context of business continuity planning, which THREE of the following are typically identified during a business impact analysis (BIA)? (Select THREE.)
64An organization's security policy requires that all data at rest must be encrypted. Which security principle is primarily being addressed?
65A company is implementing a risk management program. They have identified a critical server with an asset value of $50,000. The exposure factor due to a potential threat is 40%, and the annual rate of occurrence is 2. What is the Annualized Loss Expectancy (ALE)?
66During a Business Impact Analysis (BIA), the maximum amount of time a business process can be unavailable before causing significant harm is determined. Which metric represents this?
67A security manager is evaluating risk responses for a high-likelihood, low-impact risk. The cost of mitigation exceeds the potential loss. Which risk response strategy is most appropriate?
68Under the ISC2 Code of Ethics, which canon has the highest priority?
69An organization is required to report a personal data breach to the supervisory authority within 72 hours. Which regulation imposes this requirement?
70A company's disaster recovery plan includes an agreement with another company to provide backup computing facilities in case of a disaster. The agreement allows the second company to use the facilities for its own operations if needed. This arrangement is best described as:
71Which TWO of the following are elements of the AAA framework in security?
72According to the ISC2 Code of Ethics, which TWO canons are listed in the correct order of priority (highest to lowest)?
73Which THREE of the following are valid risk response strategies?
74Under GDPR, which TWO of the following are valid lawful bases for processing personal data?
The Security and Risk Management domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.
The Courseiva CISSP question bank contains 74 questions in the Security and Risk Management domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security and Risk Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included