Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISSPDomainsSecurity and Risk Management
CISSPFree — No Signup

Security and Risk Management

Practice CISSP Security and Risk Management questions with full explanations on every answer.

75questions

Start practicing

Security and Risk Management — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISSP Domains

Software Development SecuritySecurity Assessment and TestingIdentity and Access ManagementSecurity and Risk ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecuritySecurity Operations

Practice Security and Risk Management questions

10Q20Q30Q50Q

All CISSP Security and Risk Management questions (75)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A multinational corporation is expanding its operations into a new country with strict data protection laws. The company needs to ensure compliance while maintaining operational efficiency. Which of the following is the BEST approach to manage this risk?

2

A company's security team discovers that an employee inadvertently shared sensitive customer data via a public cloud storage link. The incident response team contains the breach and notifies affected customers. Which of the following risk management strategies would BEST prevent recurrence?

3

A small business wants to implement a security policy that balances protection with usability. Which of the following is the MOST important factor when developing the policy?

4

During a risk assessment, a company identifies that its primary data center is located in a flood-prone area. The estimated annual loss expectancy (ALE) for a flood event is $500,000. Installing flood barriers costs $200,000 and reduces the ALE to $50,000. What is the net benefit of implementing the flood barriers?

5

An organization is developing a business continuity plan (BCP) for its critical IT systems. Which of the following is the FIRST step in the BCP process?

6

A security manager is tasked with classifying data based on its sensitivity. Which of the following is the PRIMARY reason for data classification?

7

A company is considering outsourcing its customer support operations to a third-party vendor. Which of the following should be the PRIMARY risk management activity before finalizing the contract?

8

An organization needs to ensure that its employees understand their responsibilities regarding information security. Which of the following is the MOST effective way to achieve this?

9

Which TWO of the following are key components of an Information Security Governance framework? (Select exactly 2)

10

Which THREE of the following are valid risk treatment options according to ISO 31000? (Select exactly 3)

11

Which TWO of the following are examples of administrative controls? (Select exactly 2)

12

A data classification policy is shown. A database contains a field labeled 'SSN' that matches the pattern for 'employee_id'. What action should be applied to the SSN field?

13

Based on the exhibit, what security control is being demonstrated?

14

You are the CISO of a medium-sized healthcare organization that recently migrated patient records to a cloud-based EHR system. The system stores Protected Health Information (PHI) and is subject to HIPAA regulations. Three months after migration, the compliance team reports that the EHR vendor experienced a data breach exposing 5,000 patient records due to a misconfigured database. Your organization's contract with the vendor includes a clause that holds the vendor liable for breaches caused by their negligence. However, the vendor is refusing to pay the full cost of breach notification and credit monitoring, citing a limitation of liability clause that caps damages at $100,000. The actual costs are estimated at $500,000. Your organization's cyber insurance policy has a $250,000 deductible and covers losses up to $1 million, but excludes losses due to vendor negligence. You need to manage this risk effectively. Which of the following is the BEST course of action?

15

You are the security manager for a financial services firm that processes credit card transactions. The company is required to comply with PCI DSS. During a recent internal audit, you discover that the network segmentation between the cardholder data environment (CDE) and the corporate network is not properly implemented. Specifically, a firewall rule allows unrestricted traffic from the corporate network to the CDE. This exposes sensitive cardholder data to potential unauthorized access. The IT manager argues that this rule is necessary for business operations because several applications need to access the CDE for reporting purposes. You need to address this risk while minimizing business disruption. Which of the following is the BEST course of action?

16

Drag and drop the steps for conducting a risk assessment in the correct order.

17

Match each security control to its category (preventive, detective, corrective).

18

A company is conducting a risk assessment and needs to prioritize risks based on both likelihood and impact. The risk management team decides to use a quantitative approach. Which of the following is a key advantage of using quantitative risk analysis over qualitative risk analysis?

19

An organization is developing a business continuity plan (BCP). The IT department has identified a critical application that must be restored within 4 hours of a disruption. Which metric defines the maximum acceptable time that the application can be unavailable?

20

A multinational corporation is establishing a security governance framework. The board of directors wants to ensure that information security strategy aligns with business objectives. Which role is primarily responsible for integrating security into the organization's strategic decision-making?

21

Based on the firewall log entry, what is the most likely cause of the denied traffic?

22

Based on the exhibit, which security objective is this policy primarily designed to protect?

23

Based on the SIEM correlation rule, what behavior is this rule designed to detect?

24

During a business impact analysis (BIA), a department manager states that a critical process cannot be interrupted for more than 2 hours. However, the current backup system requires 8 hours to restore. What is the most appropriate risk management action?

25

An information security manager is implementing an asset classification policy. Which of the following is the primary purpose of classifying information assets?

26

A company's risk assessment identifies a high likelihood of a data breach due to outdated encryption standards. The cost to upgrade encryption is $50,000, and the estimated loss from a breach is $2,000,000. The risk manager decides to implement the upgrade. Which risk treatment option is being applied?

27

Which TWO of the following are key indicators that a security awareness training program is effective? (Choose two.)

28

Which THREE of the following are control families defined in NIST SP 800-53? (Choose three.)

29

Which TWO of the following are essential components of a quantitative risk analysis formula? (Choose two.)

30

An organization is implementing a security program and wants to ensure it meets legal and regulatory requirements. The security manager is reviewing the concept of due care. Which best describes due care in the context of information security?

31

A company is outsourcing its customer support operations to a third-party vendor. The vendor will have access to sensitive customer data. Which of the following should be the primary security requirement in the contract with the vendor?

32

During a risk communication session, the security team needs to present risk analysis results to executive management. Which approach is most effective for this audience?

33

A security manager is conducting a risk assessment for a new cloud application. The manager needs to estimate the potential financial loss from a data breach. Which approach should be used?

34

A multinational company must comply with the EU General Data Protection Regulation (GDPR) for processing personal data of EU citizens. The company's data protection officer (DPO) has been appointed but reports to the Chief Marketing Officer (CMO). Which compliance issue is most critical?

35

During a business impact analysis (BIA), the team identifies that the customer service application must be restored within 4 hours of a disruption. What is the term for this metric?

36

An organization is developing a security governance framework to align with business objectives. Which group should have ultimate authority and responsibility for the cybersecurity program?

37

A security analyst discovers that an employee shared confidential customer data with an unauthorized third party. The analyst reports this to the CISO, who decides to terminate the employee. Which ethical principle from the (ISC)² Code of Ethics is most directly violated by the employee?

38

A company has implemented data classification labels such as 'Public', 'Internal', 'Confidential', and 'Restricted'. Which control is most appropriate for protecting 'Confidential' data?

39

A business is evaluating risk treatment options for a high-likelihood, low-impact risk. The cost of mitigation exceeds the potential loss. Which risk treatment strategy is most appropriate?

40

A financial institution is required to retain customer transaction records for seven years under regulatory mandates. The institution is facing a lawsuit and must preserve all relevant data. What legal concept applies?

41

A business continuity coordinator is planning a test of the disaster recovery plan. Which type of test involves a walk-through of the plan with key stakeholders without actually invoking the technical recovery?

42

Which TWO are examples of administrative controls in an information security program?

43

Which TWO are essential components of a security policy framework?

44

Which THREE are key components of a business continuity plan (BCP)?

45

Refer to the exhibit. The network administrator applies this access control list to the inbound interface of a router connecting to the internet. Which type of access control model is being implemented?

46

Refer to the exhibit. A cloud security architect is designing access control for an S3 bucket. This policy is attached to an IAM role. Which access control model does this policy primarily implement?

47

Refer to the exhibit. A security analyst reviews this syslog entry from a firewall. The firewall's ACL is configured to deny all traffic by default except what is explicitly permitted. This is an example of which security principle?

48

A small business wants to implement a risk management framework. Which approach is best for identifying risks?

49

A multinational corporation must comply with GDPR and CCPA. Which data protection strategy should they prioritize?

50

During a risk assessment, a critical asset has a vulnerability with a CVSS score of 9.0. Which risk treatment strategy is most appropriate if the cost to mitigate exceeds the asset's value?

51

An organization is developing an information security policy. Which of the following should be included?

52

A company experiences a data breach. Which step should be taken first according to best practices?

53

A security manager is evaluating risk treatment options for a high-impact, low-probability risk. Which approach is most appropriate?

54

Which security control is most effective for preventing unauthorized access to a data center?

55

An organization is implementing a security awareness program. Which topic should be emphasized most?

56

A company is merging with another and must integrate security policies. What is the first step?

57

A security manager is selecting controls to protect sensitive data. Which TWO are examples of administrative controls?

58

A risk assessment identifies several threats. Which THREE are considered external threats?

59

Which TWO documents are considered foundational for an information security program?

60

Refer to the exhibit. Which security risk does this policy primarily introduce?

61

Refer to the exhibit. A security analyst finds the above in a configuration file stored in a public GitHub repository. What is the most immediate risk?

62

You are the chief information security officer (CISO) of a large healthcare organization that handles protected health information (PHI). The organization has recently been acquired by a larger conglomerate, and the new parent company mandates that all subsidiaries adopt a single, unified risk management framework based on NIST SP 800-39. Your current framework is ISO 27005-based and has been effective for years. During the transition, you discover that the parent company's framework requires quantitative risk analysis for all critical assets, while your team has been primarily using qualitative analysis due to lack of accurate financial data. Moreover, the parent company expects all risk assessments to be completed within 30 days, a timeframe your team considers unrealistic given the number of assets. Several key stakeholders are concerned about the additional resource burden and potential disruption to operations. You need to propose a course of action that balances compliance with the parent company's mandate while maintaining operational effectiveness and minimizing risk to patient data.

63

A small business wants to ensure compliance with GDPR for its customer data. What is the initial action required to comply with GDPR?

64

A multinational corporation is evaluating risk treatment options for a identified high-impact, low-probability risk. The risk is below the organization's risk appetite threshold. Which is the most appropriate action?

65

During a merger, the security teams of two companies are integrating their networks. The acquiring company has a high-security classification system (e.g., Top Secret, Secret, Confidential), while the acquired company uses a lower classification (e.g., Internal, Public). Which approach best ensures secure data handling during integration?

66

Which TWO of the following are considered mandatory elements of an organization's security policy framework?

67

Which THREE of the following are primary objectives of a risk management program?

68

An organization has implemented a password policy requiring a minimum of 8 characters, including uppercase, lowercase, numbers, and special characters. Despite annual security awareness training, a recent audit revealed that 60% of employees are using passwords that can be cracked within hours. The organization is also experiencing a high number of account compromises due to credential stuffing attacks. The security team is considering various controls to reduce the risk. Which of the following would be the MOST effective in addressing the identified issues?

69

A financial institution is migrating its customer data to a cloud environment. The cloud provider offers encryption at rest and in transit using AES-256 and TLS 1.2+. The compliance team requires that the organization maintain full control of encryption keys to meet regulatory obligations such as PCI DSS and local banking laws. The data is highly sensitive and includes personally identifiable information (PII). Which solution should the security architect recommend?

70

A large healthcare organization is subject to both HIPAA and GDPR. They are creating a data retention policy for electronic protected health information (ePHI) concerning European patients. HIPAA requires retention for 6 years from creation or last effective date, while GDPR requires that personal data not be kept longer than necessary for the purpose, with a general guideline of retaining for the duration of the relationship plus a reasonable period. The organization wants to minimize storage costs while ensuring compliance. Which approach should they take?

71

An organization's risk assessment identified a vulnerability in a legacy system that cannot be patched because the vendor no longer supports it. The system processes sensitive customer data and is critical for daily operations. The risk is rated as high likelihood and high impact. The organization has a moderate risk appetite. Which risk treatment is most appropriate?

72

A company wants to ensure that its security policy is effectively enforced across all departments. Currently, the policy is published on the intranet and included in the employee handbook. However, the security team notices that many employees are not following the policy, leading to security incidents. Which of the following would be the most effective way to improve policy enforcement?

73

An organization is conducting a Business Impact Analysis (BIA) as part of its business continuity planning. Which THREE of the following are essential components of a BIA? (Choose three.)

74

Refer to the exhibit. The risk manager is reviewing this risk register entry. According to the organization's risk appetite, which states that residual risks must be low or below, what is the most appropriate recommendation?

75

A large financial institution is finalizing its annual risk treatment plan based on a recent enterprise risk assessment. The risk appetite statement approved by the board specifies that the organization will accept only low residual risks for financial loss, but is willing to accept moderate risks for reputational damage if cost-benefit justifies. The risk register includes the following findings: 1) A critical SQL injection vulnerability in the online banking portal with high likelihood and critical impact; current controls include a web application firewall (WAF) that is not fully tuned. 2) Use of outdated TLS 1.0 encryption on internal communications between data centers; likelihood is medium, impact is low. 3) Lack of background checks for third-party vendors with access to sensitive data; likelihood is low, impact is moderate. 4) A single point of failure in the primary data center's power supply; likelihood is low, impact is critical. 5) An incident response plan that has not been tested in two years; likelihood is medium, impact is moderate. The CISO must prioritize actions for the upcoming quarter. What is the most appropriate first step?

Practice all 75 Security and Risk Management questions

Other CISSP exam domains

Software Development SecuritySecurity Assessment and TestingIdentity and Access ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecuritySecurity Operations

Frequently asked questions

What does the Security and Risk Management domain cover on the CISSP exam?

The Security and Risk Management domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.

How many Security and Risk Management questions are in the CISSP question bank?

The Courseiva CISSP question bank contains 75 questions in the Security and Risk Management domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security and Risk Management for CISSP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security and Risk Management questions for CISSP?

Yes — the session launcher on this page draws questions exclusively from the Security and Risk Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISSP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CCCCSPCAS-004CISM