Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISSPDomainsSecurity and Risk Management
CISSPFree — No Signup

Security and Risk Management

Practice CISSP Security and Risk Management questions with full explanations on every answer.

74questions

Start practicing

Security and Risk Management — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISSP Domains

Security and Risk ManagementAsset SecuritySecurity OperationsSecurity Architecture and EngineeringCommunication and Network SecuritySecurity Assessment and TestingSoftware Development SecurityIdentity and Access Management

Practice Security and Risk Management questions

10Q20Q30Q50Q

All CISSP Security and Risk Management questions (74)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

An organization is implementing a new access control system. Which of the following represents the correct order of the AAA framework components?

2

A security analyst is evaluating the risk of a data breach. The asset value of the database is $100,000, and the exposure factor is 0.5. If the annual rate of occurrence is 0.2, what is the annualized loss expectancy (ALE)?

3

Under the ISC2 Code of Ethics, which canon takes precedence over all others?

4

A company is migrating its critical application to a cloud provider. Which disaster recovery strategy provides the shortest recovery time objective (RTO) and recovery point objective (RPO)?

5

Which governance framework provides guidance specifically for aligning IT services with business needs and includes a service lifecycle?

6

In a qualitative risk assessment, a risk with a likelihood rating of 'High' and an impact rating of 'Critical' would typically fall into which category?

7

Which of the following is an example of a security policy?

8

Under GDPR, which of the following is a valid lawful basis for processing personal data?

9

A hospital is subject to HIPAA. Which of the following is required when sharing protected health information (PHI) with a third-party billing company?

10

In a quantitative risk analysis, if the single loss expectancy (SLE) is $15,000 and the annual rate of occurrence (ARO) is 0.5, what is the annualized loss expectancy (ALE)?

11

Which of the following is a key objective of a business impact analysis (BIA)?

12

Under the Sarbanes-Oxley Act (SOX), which of the following is an example of an IT general control that supports financial reporting?

13

A security manager is choosing a risk response for a high-impact, high-likelihood risk. Which TWO responses are most appropriate? (Select TWO)

14

Which THREE of the following are data subject rights under the GDPR? (Select THREE)

15

A company is implementing PCI DSS compliance. Which THREE requirements are part of the PCI DSS? (Select THREE)

16

Which of the following is the primary purpose of the CIA triad in information security?

17

An organization is implementing a new access control system. The security team wants to ensure that users cannot deny having performed an action. Which security principle is being addressed?

18

A company uses a qualitative risk analysis matrix where likelihood ranges from 1 to 5 and impact ranges from 1 to 5. A risk with a likelihood of 4 and an impact of 5 would fall into which risk level if the matrix defines high risk as scores above 15, medium as 10-15, and low as below 10?

19

During a business impact analysis (BIA), the recovery point objective (RPO) for a critical database is determined to be 2 hours. What does this mean?

20

Which of the following is a key requirement under the GDPR regarding personal data breaches?

21

According to the ISC2 Code of Ethics, which of the following canons has the highest priority when resolving an ethical dilemma?

22

A security manager is calculating the annual loss expectancy (ALE) for a server valued at $50,000. The exposure factor (EF) is 40%, and the annual rate of occurrence (ARO) is 0.5. What is the ALE?

23

Under the PCI DSS, which of the following best describes a 'cardholder data environment' (CDE)?

24

Which component of the AAA framework is responsible for determining what resources a user can access and what actions they can perform?

25

An organization is implementing a BCP. After completing the BIA, which of the following is the next logical step in the planning process?

26

Which of the following is a key difference between a policy and a guideline in information security governance?

27

A healthcare organization covered by HIPAA wants to share protected health information (PHI) with a third-party billing service. What must be in place to comply with HIPAA?

28

A security auditor is reviewing an organization's governance framework. Which TWO of the following are commonly used frameworks for IT governance and security management?

29

A company is recovering from a ransomware attack. Which THREE of the following are key considerations when restoring data from backups to ensure integrity and minimal downtime?

30

Which TWO of the following are examples of risk response strategies?

31

Which of the following is the PRIMARY purpose of the confidentiality principle in the CIA triad?

32

An organization is implementing a new governance framework to align IT with business goals. Which framework is specifically designed for IT service management?

33

A security team is performing a quantitative risk analysis for a server valued at $100,000. The exposure factor is 0.4 and the annual rate of occurrence is 2. What is the annualized loss expectancy (ALE)?

34

Under the GDPR, what is the maximum time frame for notifying the supervisory authority of a personal data breach?

35

Which of the following is the correct order of priority for the ISC2 Code of Ethics Canons?

36

A security analyst is evaluating risks using a qualitative matrix. The likelihood is rated as 'high' and the impact as 'medium'. What is the overall risk level typically assigned in a 3x3 matrix?

37

Which document provides detailed step-by-step instructions for performing a specific security task?

38

A company decides to purchase cyber insurance to cover potential losses from data breaches. Which risk response strategy does this represent?

39

Under HIPAA, what is the primary purpose of a Business Associate Agreement (BAA)?

40

Which of the following is the PRIMARY goal of a Business Impact Analysis (BIA) in business continuity planning?

41

A company is implementing PCI DSS compliance. Which requirement is related to protecting cardholder data at rest?

42

An organization has identified a risk with a high likelihood and high impact. Management decides to implement controls to reduce the likelihood. After controls, the risk is reassessed as medium likelihood and medium impact. What is the residual risk?

43

Which TWO of the following are lawful bases for processing personal data under the GDPR? (Select two)

44

Which THREE of the following are key components of a disaster recovery plan for a hot site? (Select three)

45

Which TWO of the following are examples of non-repudiation controls? (Select two)

46

A security analyst is evaluating the risk of a data breach in a healthcare organization. The asset value of the patient database is $500,000, and the exposure factor is 0.2. The annual rate of occurrence is estimated at 0.1. What is the annualized loss expectancy (ALE)?

47

Which of the following is the correct order of the ISC2 Code of Ethics canons from highest to lowest priority?

48

An organization is implementing a new access control system. They want to ensure that users are who they claim to be, that actions can be traced to individuals, and that access rights are managed appropriately. Which framework encompasses all three of these goals?

49

Under the GDPR, a data controller experiences a personal data breach that is likely to result in a risk to the rights and freedoms of individuals. What is the maximum time frame within which the controller must notify the supervisory authority?

50

Which type of risk remains after management has implemented controls to mitigate the identified risks?

51

A financial institution is required to comply with SOX. Which of the following is a key focus area for IT under SOX?

52

During a business impact analysis (BIA), which metric represents the maximum amount of time a business process can be disrupted before causing significant harm to the organization?

53

In qualitative risk analysis, a risk is assessed with a likelihood of 4 (on a scale of 1-5) and an impact of 5. The risk matrix defines scores of 15-25 as high. What is the risk rating?

54

Which document is mandatory, high-level, and sets the direction for security within an organization?

55

Under HIPAA, a covered entity must have a Business Associate Agreement (BAA) with which of the following?

56

An organization wants to avoid a particular risk entirely by not engaging in the activity that creates the risk. Which risk response strategy is being used?

57

Which component of the CIA triad ensures that information is not disclosed to unauthorized individuals, entities, or processes?

58

A company is designing a disaster recovery plan. They need to recover critical systems within 4 hours and lose no more than 15 minutes of data. Which combination of RTO and RPO should be specified?

59

Which governance framework is specifically designed to help organizations manage and protect their information assets by providing a comprehensive set of controls based on a risk management approach?

60

A company is implementing a hot site as a disaster recovery option. Which of the following best describes a hot site?

61

A security officer is developing a risk management plan. Which TWO of the following are valid risk response strategies? (Select TWO.)

62

Under the GDPR, which THREE of the following are rights of data subjects? (Select THREE.)

63

In the context of business continuity planning, which THREE of the following are typically identified during a business impact analysis (BIA)? (Select THREE.)

64

An organization's security policy requires that all data at rest must be encrypted. Which security principle is primarily being addressed?

65

A company is implementing a risk management program. They have identified a critical server with an asset value of $50,000. The exposure factor due to a potential threat is 40%, and the annual rate of occurrence is 2. What is the Annualized Loss Expectancy (ALE)?

66

During a Business Impact Analysis (BIA), the maximum amount of time a business process can be unavailable before causing significant harm is determined. Which metric represents this?

67

A security manager is evaluating risk responses for a high-likelihood, low-impact risk. The cost of mitigation exceeds the potential loss. Which risk response strategy is most appropriate?

68

Under the ISC2 Code of Ethics, which canon has the highest priority?

69

An organization is required to report a personal data breach to the supervisory authority within 72 hours. Which regulation imposes this requirement?

70

A company's disaster recovery plan includes an agreement with another company to provide backup computing facilities in case of a disaster. The agreement allows the second company to use the facilities for its own operations if needed. This arrangement is best described as:

71

Which TWO of the following are elements of the AAA framework in security?

72

According to the ISC2 Code of Ethics, which TWO canons are listed in the correct order of priority (highest to lowest)?

73

Which THREE of the following are valid risk response strategies?

74

Under GDPR, which TWO of the following are valid lawful bases for processing personal data?

Practice all 74 Security and Risk Management questions

Other CISSP exam domains

Asset SecuritySecurity OperationsSecurity Architecture and EngineeringCommunication and Network SecuritySecurity Assessment and TestingSoftware Development SecurityIdentity and Access Management

Frequently asked questions

What does the Security and Risk Management domain cover on the CISSP exam?

The Security and Risk Management domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.

How many Security and Risk Management questions are in the CISSP question bank?

The Courseiva CISSP question bank contains 74 questions in the Security and Risk Management domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security and Risk Management for CISSP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security and Risk Management questions for CISSP?

Yes — the session launcher on this page draws questions exclusively from the Security and Risk Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISSP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CCCCSPCAS-004CISM