Practice CISSP Security and Risk Management questions with full explanations on every answer.
Start practicing
Security and Risk Management — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A multinational corporation is expanding its operations into a new country with strict data protection laws. The company needs to ensure compliance while maintaining operational efficiency. Which of the following is the BEST approach to manage this risk?
2A company's security team discovers that an employee inadvertently shared sensitive customer data via a public cloud storage link. The incident response team contains the breach and notifies affected customers. Which of the following risk management strategies would BEST prevent recurrence?
3A small business wants to implement a security policy that balances protection with usability. Which of the following is the MOST important factor when developing the policy?
4During a risk assessment, a company identifies that its primary data center is located in a flood-prone area. The estimated annual loss expectancy (ALE) for a flood event is $500,000. Installing flood barriers costs $200,000 and reduces the ALE to $50,000. What is the net benefit of implementing the flood barriers?
5An organization is developing a business continuity plan (BCP) for its critical IT systems. Which of the following is the FIRST step in the BCP process?
6A security manager is tasked with classifying data based on its sensitivity. Which of the following is the PRIMARY reason for data classification?
7A company is considering outsourcing its customer support operations to a third-party vendor. Which of the following should be the PRIMARY risk management activity before finalizing the contract?
8An organization needs to ensure that its employees understand their responsibilities regarding information security. Which of the following is the MOST effective way to achieve this?
9Which TWO of the following are key components of an Information Security Governance framework? (Select exactly 2)
10Which THREE of the following are valid risk treatment options according to ISO 31000? (Select exactly 3)
11Which TWO of the following are examples of administrative controls? (Select exactly 2)
12A data classification policy is shown. A database contains a field labeled 'SSN' that matches the pattern for 'employee_id'. What action should be applied to the SSN field?
13Based on the exhibit, what security control is being demonstrated?
14You are the CISO of a medium-sized healthcare organization that recently migrated patient records to a cloud-based EHR system. The system stores Protected Health Information (PHI) and is subject to HIPAA regulations. Three months after migration, the compliance team reports that the EHR vendor experienced a data breach exposing 5,000 patient records due to a misconfigured database. Your organization's contract with the vendor includes a clause that holds the vendor liable for breaches caused by their negligence. However, the vendor is refusing to pay the full cost of breach notification and credit monitoring, citing a limitation of liability clause that caps damages at $100,000. The actual costs are estimated at $500,000. Your organization's cyber insurance policy has a $250,000 deductible and covers losses up to $1 million, but excludes losses due to vendor negligence. You need to manage this risk effectively. Which of the following is the BEST course of action?
15You are the security manager for a financial services firm that processes credit card transactions. The company is required to comply with PCI DSS. During a recent internal audit, you discover that the network segmentation between the cardholder data environment (CDE) and the corporate network is not properly implemented. Specifically, a firewall rule allows unrestricted traffic from the corporate network to the CDE. This exposes sensitive cardholder data to potential unauthorized access. The IT manager argues that this rule is necessary for business operations because several applications need to access the CDE for reporting purposes. You need to address this risk while minimizing business disruption. Which of the following is the BEST course of action?
16Drag and drop the steps for conducting a risk assessment in the correct order.
17Match each security control to its category (preventive, detective, corrective).
18A company is conducting a risk assessment and needs to prioritize risks based on both likelihood and impact. The risk management team decides to use a quantitative approach. Which of the following is a key advantage of using quantitative risk analysis over qualitative risk analysis?
19An organization is developing a business continuity plan (BCP). The IT department has identified a critical application that must be restored within 4 hours of a disruption. Which metric defines the maximum acceptable time that the application can be unavailable?
20A multinational corporation is establishing a security governance framework. The board of directors wants to ensure that information security strategy aligns with business objectives. Which role is primarily responsible for integrating security into the organization's strategic decision-making?
21Based on the firewall log entry, what is the most likely cause of the denied traffic?
22Based on the exhibit, which security objective is this policy primarily designed to protect?
23Based on the SIEM correlation rule, what behavior is this rule designed to detect?
24During a business impact analysis (BIA), a department manager states that a critical process cannot be interrupted for more than 2 hours. However, the current backup system requires 8 hours to restore. What is the most appropriate risk management action?
25An information security manager is implementing an asset classification policy. Which of the following is the primary purpose of classifying information assets?
26A company's risk assessment identifies a high likelihood of a data breach due to outdated encryption standards. The cost to upgrade encryption is $50,000, and the estimated loss from a breach is $2,000,000. The risk manager decides to implement the upgrade. Which risk treatment option is being applied?
27Which TWO of the following are key indicators that a security awareness training program is effective? (Choose two.)
28Which THREE of the following are control families defined in NIST SP 800-53? (Choose three.)
29Which TWO of the following are essential components of a quantitative risk analysis formula? (Choose two.)
30An organization is implementing a security program and wants to ensure it meets legal and regulatory requirements. The security manager is reviewing the concept of due care. Which best describes due care in the context of information security?
31A company is outsourcing its customer support operations to a third-party vendor. The vendor will have access to sensitive customer data. Which of the following should be the primary security requirement in the contract with the vendor?
32During a risk communication session, the security team needs to present risk analysis results to executive management. Which approach is most effective for this audience?
33A security manager is conducting a risk assessment for a new cloud application. The manager needs to estimate the potential financial loss from a data breach. Which approach should be used?
34A multinational company must comply with the EU General Data Protection Regulation (GDPR) for processing personal data of EU citizens. The company's data protection officer (DPO) has been appointed but reports to the Chief Marketing Officer (CMO). Which compliance issue is most critical?
35During a business impact analysis (BIA), the team identifies that the customer service application must be restored within 4 hours of a disruption. What is the term for this metric?
36An organization is developing a security governance framework to align with business objectives. Which group should have ultimate authority and responsibility for the cybersecurity program?
37A security analyst discovers that an employee shared confidential customer data with an unauthorized third party. The analyst reports this to the CISO, who decides to terminate the employee. Which ethical principle from the (ISC)² Code of Ethics is most directly violated by the employee?
38A company has implemented data classification labels such as 'Public', 'Internal', 'Confidential', and 'Restricted'. Which control is most appropriate for protecting 'Confidential' data?
39A business is evaluating risk treatment options for a high-likelihood, low-impact risk. The cost of mitigation exceeds the potential loss. Which risk treatment strategy is most appropriate?
40A financial institution is required to retain customer transaction records for seven years under regulatory mandates. The institution is facing a lawsuit and must preserve all relevant data. What legal concept applies?
41A business continuity coordinator is planning a test of the disaster recovery plan. Which type of test involves a walk-through of the plan with key stakeholders without actually invoking the technical recovery?
42Which TWO are examples of administrative controls in an information security program?
43Which TWO are essential components of a security policy framework?
44Which THREE are key components of a business continuity plan (BCP)?
45Refer to the exhibit. The network administrator applies this access control list to the inbound interface of a router connecting to the internet. Which type of access control model is being implemented?
46Refer to the exhibit. A cloud security architect is designing access control for an S3 bucket. This policy is attached to an IAM role. Which access control model does this policy primarily implement?
47Refer to the exhibit. A security analyst reviews this syslog entry from a firewall. The firewall's ACL is configured to deny all traffic by default except what is explicitly permitted. This is an example of which security principle?
48A small business wants to implement a risk management framework. Which approach is best for identifying risks?
49A multinational corporation must comply with GDPR and CCPA. Which data protection strategy should they prioritize?
50During a risk assessment, a critical asset has a vulnerability with a CVSS score of 9.0. Which risk treatment strategy is most appropriate if the cost to mitigate exceeds the asset's value?
51An organization is developing an information security policy. Which of the following should be included?
52A company experiences a data breach. Which step should be taken first according to best practices?
53A security manager is evaluating risk treatment options for a high-impact, low-probability risk. Which approach is most appropriate?
54Which security control is most effective for preventing unauthorized access to a data center?
55An organization is implementing a security awareness program. Which topic should be emphasized most?
56A company is merging with another and must integrate security policies. What is the first step?
57A security manager is selecting controls to protect sensitive data. Which TWO are examples of administrative controls?
58A risk assessment identifies several threats. Which THREE are considered external threats?
59Which TWO documents are considered foundational for an information security program?
60Refer to the exhibit. Which security risk does this policy primarily introduce?
61Refer to the exhibit. A security analyst finds the above in a configuration file stored in a public GitHub repository. What is the most immediate risk?
62You are the chief information security officer (CISO) of a large healthcare organization that handles protected health information (PHI). The organization has recently been acquired by a larger conglomerate, and the new parent company mandates that all subsidiaries adopt a single, unified risk management framework based on NIST SP 800-39. Your current framework is ISO 27005-based and has been effective for years. During the transition, you discover that the parent company's framework requires quantitative risk analysis for all critical assets, while your team has been primarily using qualitative analysis due to lack of accurate financial data. Moreover, the parent company expects all risk assessments to be completed within 30 days, a timeframe your team considers unrealistic given the number of assets. Several key stakeholders are concerned about the additional resource burden and potential disruption to operations. You need to propose a course of action that balances compliance with the parent company's mandate while maintaining operational effectiveness and minimizing risk to patient data.
63A small business wants to ensure compliance with GDPR for its customer data. What is the initial action required to comply with GDPR?
64A multinational corporation is evaluating risk treatment options for a identified high-impact, low-probability risk. The risk is below the organization's risk appetite threshold. Which is the most appropriate action?
65During a merger, the security teams of two companies are integrating their networks. The acquiring company has a high-security classification system (e.g., Top Secret, Secret, Confidential), while the acquired company uses a lower classification (e.g., Internal, Public). Which approach best ensures secure data handling during integration?
66Which TWO of the following are considered mandatory elements of an organization's security policy framework?
67Which THREE of the following are primary objectives of a risk management program?
68An organization has implemented a password policy requiring a minimum of 8 characters, including uppercase, lowercase, numbers, and special characters. Despite annual security awareness training, a recent audit revealed that 60% of employees are using passwords that can be cracked within hours. The organization is also experiencing a high number of account compromises due to credential stuffing attacks. The security team is considering various controls to reduce the risk. Which of the following would be the MOST effective in addressing the identified issues?
69A financial institution is migrating its customer data to a cloud environment. The cloud provider offers encryption at rest and in transit using AES-256 and TLS 1.2+. The compliance team requires that the organization maintain full control of encryption keys to meet regulatory obligations such as PCI DSS and local banking laws. The data is highly sensitive and includes personally identifiable information (PII). Which solution should the security architect recommend?
70A large healthcare organization is subject to both HIPAA and GDPR. They are creating a data retention policy for electronic protected health information (ePHI) concerning European patients. HIPAA requires retention for 6 years from creation or last effective date, while GDPR requires that personal data not be kept longer than necessary for the purpose, with a general guideline of retaining for the duration of the relationship plus a reasonable period. The organization wants to minimize storage costs while ensuring compliance. Which approach should they take?
71An organization's risk assessment identified a vulnerability in a legacy system that cannot be patched because the vendor no longer supports it. The system processes sensitive customer data and is critical for daily operations. The risk is rated as high likelihood and high impact. The organization has a moderate risk appetite. Which risk treatment is most appropriate?
72A company wants to ensure that its security policy is effectively enforced across all departments. Currently, the policy is published on the intranet and included in the employee handbook. However, the security team notices that many employees are not following the policy, leading to security incidents. Which of the following would be the most effective way to improve policy enforcement?
73An organization is conducting a Business Impact Analysis (BIA) as part of its business continuity planning. Which THREE of the following are essential components of a BIA? (Choose three.)
74Refer to the exhibit. The risk manager is reviewing this risk register entry. According to the organization's risk appetite, which states that residual risks must be low or below, what is the most appropriate recommendation?
75A large financial institution is finalizing its annual risk treatment plan based on a recent enterprise risk assessment. The risk appetite statement approved by the board specifies that the organization will accept only low residual risks for financial loss, but is willing to accept moderate risks for reputational damage if cost-benefit justifies. The risk register includes the following findings: 1) A critical SQL injection vulnerability in the online banking portal with high likelihood and critical impact; current controls include a web application firewall (WAF) that is not fully tuned. 2) Use of outdated TLS 1.0 encryption on internal communications between data centers; likelihood is medium, impact is low. 3) Lack of background checks for third-party vendors with access to sensitive data; likelihood is low, impact is moderate. 4) A single point of failure in the primary data center's power supply; likelihood is low, impact is critical. 5) An incident response plan that has not been tested in two years; likelihood is medium, impact is moderate. The CISO must prioritize actions for the upcoming quarter. What is the most appropriate first step?
The Security and Risk Management domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.
The Courseiva CISSP question bank contains 75 questions in the Security and Risk Management domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security and Risk Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included