ISC2 · Free Practice Questions · Last reviewed May 2026
48real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A multinational corporation is expanding its operations into a new country with strict data protection laws. The company needs to ensure compliance while maintaining operational efficiency. Which of the following is the BEST approach to manage this risk?
Accept the risk of non-compliance as a cost of doing business and set aside a contingency fund for fines.
Assign legal counsel to review local laws and implement a one-time compliance checklist.
Create a uniform global privacy policy that satisfies all jurisdictions with minimal adjustments.
Adopt a privacy-by-design framework and conduct a Data Protection Impact Assessment (DPIA) before launching operations.
Correct - Privacy-by-design and DPIA ensure compliance is built into processes.
A company's security team discovers that an employee inadvertently shared sensitive customer data via a public cloud storage link. The incident response team contains the breach and notifies affected customers. Which of the following risk management strategies would BEST prevent recurrence?
Block all access to public cloud storage services from corporate devices.
Implement mandatory security awareness training focusing on data handling procedures.
Deploy a Data Loss Prevention (DLP) solution that monitors and controls sharing of sensitive data.
Correct - DLP provides automated controls to prevent data leakage.
Encrypt all sensitive data at rest and in transit to render shared data useless.
A small business wants to implement a security policy that balances protection with usability. Which of the following is the MOST important factor when developing the policy?
Adopting a template from a similar organization to save time.
Aligning the policy with business objectives and risk appetite.
Correct - Policy must support business needs and address real risks.
Ensuring the policy is enforceable with technical controls.
Basing the policy solely on regulatory compliance requirements.
During a risk assessment, a company identifies that its primary data center is located in a flood-prone area. The estimated annual loss expectancy (ALE) for a flood event is $500,000. Installing flood barriers costs $200,000 and reduces the ALE to $50,000. What is the net benefit of implementing the flood barriers?
$300,000
$250,000
Correct - reduction in ALE ($450,000) minus cost ($200,000) = $250,000.
$450,000
$200,000
An organization is developing a business continuity plan (BCP) for its critical IT systems. Which of the following is the FIRST step in the BCP process?
Identify recovery strategies for critical systems.
Conduct a business impact analysis (BIA) to prioritize critical business functions.
Correct - BIA determines criticality and recovery time objectives.
Develop a testing schedule for the BCP.
Perform a risk assessment to identify potential threats.
A security manager is tasked with classifying data based on its sensitivity. Which of the following is the PRIMARY reason for data classification?
To ensure appropriate protection measures are applied to data based on its value and sensitivity.
Correct - classification drives the level of protection needed.
To satisfy regulatory requirements for data retention.
To facilitate data sharing across departments without restrictions.
To simplify the process of granting access to users.
Want more Security and Risk Management practice?
Practice this domainAn organization is implementing a hardware security module (HSM) to manage cryptographic keys. The security architect requires that keys be backed up securely and that the backup process ensures the same level of protection as the primary key storage. Which backup method best meets this requirement?
Export the key in plaintext and store it in a safe
Replicate the HSM configuration to another HSM in a different location
Use the HSM's key-wrapping function to encrypt the key and store the wrapped key in a secure offsite facility
Key wrapping maintains the same cryptographic boundary and offsite storage provides redundancy.
Store an encrypted copy on a local server in the same data center
A security architect is designing a secure enclave for processing highly sensitive data. The architecture must ensure that even if the operating system is compromised, the enclave's memory contents remain confidential and integrity-protected. Which technology should be used?
Full disk encryption (FDE) with a strong passphrase
Trusted Platform Module (TPM)
Hypervisor-based isolation
Intel Software Guard Extensions (SGX)
SGX creates hardware-enforced enclaves that isolate code and data even from the OS.
A company deploys a web application that uses TLS to protect data in transit. The security team discovers that the server supports TLS 1.0 and uses a 1024-bit RSA certificate. What is the most significant security concern?
The certificate uses RSA 1024-bit key
The server supports TLS 1.0
TLS 1.0 is deprecated and has known vulnerabilities.
The server does not support HTTP/2
The server enables TLS session tickets
An organization is implementing a bring-your-own-device (BYOD) policy. The security architect must ensure that corporate data on the device is protected from unauthorized access if the device is lost or stolen, while minimizing impact on user privacy. Which solution is most appropriate?
Use mobile device management (MDM) to create a secure container for corporate apps and data
Containerization isolates corporate data and allows selective wipe.
Require employees to use company-issued devices only
Disable camera and microphone on the device
Full device encryption with remote wipe capability
A security architect is reviewing a system that uses a microkernel operating system. The architect is concerned about potential side-channel attacks between processes. Which mitigation is most effective at the architecture level?
Randomize the address space layout (ASLR)
Implement stack canaries in all user-space applications
Reduce the number of system calls and IPC mechanisms
Use cache partitioning or cache coloring to isolate process caches
Cache partitioning prevents cross-process cache timing attacks.
A small business wants to implement multifactor authentication (MFA) for remote access to its internal network. The solution must be cost-effective and easy to deploy. Which combination is most appropriate?
Fingerprint scanner and password
Password and one-time passcode sent via SMS
SMS OTP is inexpensive and easy to deploy.
Smart card and PIN
Password and security questions
Want more Security Architecture and Engineering practice?
Practice this domainA security engineer is troubleshooting a network where internal users can access internet websites but cannot reach the company's external VPN server (IP 203.0.113.50, UDP port 500). The firewall rule for VPN traffic is correctly configured. What is the most likely cause?
The VPN server is using TCP port 443 instead of UDP 500.
The firewall rule is applied to the wrong interface.
The firewall is stateful and blocking the return traffic.
The VPN server is not listening on UDP port 500.
If the server does not have the VPN service running, it won't respond, causing the client to time out.
A network architect is designing a secure connection between two data centers across an untrusted WAN. The requirement is to encrypt all traffic and authenticate both endpoints. Which protocol should be used?
SSH
IPsec tunnel mode
IPsec tunnel mode encrypts and authenticates entire packets between gateways.
MPLS
SSL/TLS
A network administrator notices that users in the accounting department can access the internet but are unable to access the internal payroll server (10.10.10.50). The firewall rule allows traffic from the accounting subnet (10.10.20.0/24) to the payroll server. What is the most likely issue?
DNS is not resolving the payroll server's IP address.
The payroll server's default gateway does not have a route back to 10.10.20.0/24.
Without a return route, packets from the server cannot reach the accounting subnet.
The firewall rule is applied to the outbound interface only.
The accounting subnet is blocked by an implicit deny rule.
A company uses WPA2-Enterprise with EAP-TLS for wireless access. An employee reports that a new laptop cannot connect to the wireless network, while older laptops work fine. The employee has installed the correct client certificate. What is the most likely cause?
The wireless network uses WPA2-PSK instead of WPA2-Enterprise.
The RADIUS server's certificate is not trusted by the new laptop.
EAP-TLS mutual authentication requires the client to trust the server's certificate.
The client certificate is not correctly associated with the user account.
The laptop does not support MSCHAPv2.
A network engineer is configuring a firewall to allow HTTP traffic from the internet to a web server (10.0.0.10). The firewall has three interfaces: outside (ISP), DMZ (10.0.0.0/24), and inside (192.168.1.0/24). The web server is in the DMZ. Which rule is correct?
Rule: Source interface Inside, Source any, Destination 10.0.0.10, Port 80, Action allow
Rule: Source interface Outside, Source any, Destination 10.0.0.10, Port 80, Action allow
This correctly allows inbound HTTP from internet to DMZ web server.
Rule: Source interface Outside, Source 192.168.1.0/24, Destination 10.0.0.10, Port 80, Action allow
Rule: Source interface DMZ, Source any, Destination 10.0.0.10, Port 80, Action allow
An organization wants to ensure that employees can securely access internal applications from home. They deploy a VPN solution. Which VPN type provides the strongest encryption and is most commonly used for remote access?
IPsec with IKEv2 and AES-256
This provides strong encryption and is widely used for remote access.
MPLS Layer 3 VPN
L2TP without encryption
PPTP
Want more Communication and Network Security practice?
Practice this domainA security analyst runs a vulnerability scan against a web application and receives a report listing several critical vulnerabilities. However, the development team argues that many of these findings are false positives. Which of the following is the BEST next step for the analyst?
Re-scan the application with the same settings to confirm the results.
Manually verify a sample of the findings to confirm true vs. false positives.
Manual verification helps identify false positives and prioritize real vulnerabilities.
Escalate all critical findings to management immediately.
Retune the vulnerability scanner to reduce false positives and re-scan.
A company is implementing a continuous monitoring program for its cloud infrastructure. Which of the following metrics would be MOST useful for detecting unauthorized changes to production systems?
Network throughput between application tiers.
Average CPU load across all systems.
Number of failed login attempts per hour.
Configuration drift from a known good baseline.
Configuration drift detection directly identifies unauthorized changes to system settings.
A security assessor is conducting a penetration test and needs to identify live hosts on a network without causing disruption. Which of the following techniques should the assessor use FIRST?
ARP scan to discover hosts on the local subnet.
Ping sweep using ICMP echo requests.
Ping sweep is a standard, non-disruptive host discovery technique.
Vulnerability scan of all IP addresses in the target range.
Full TCP port scan on common ports.
A security team is planning a social engineering test for their organization. Which of the following scenarios would BEST assess the effectiveness of security awareness training?
Sending a phishing email that mimics a common internal communication.
Phishing emails directly test the awareness training provided to employees.
Calling employees and pretending to be IT support to obtain passwords.
Attempting to tailgate into a secure facility.
Searching through trash bins for sensitive documents.
A financial institution is required to perform regular penetration tests on its online banking platform. The testing must be as realistic as possible while minimizing risk to production data. Which of the following approaches BEST meets these requirements?
Conduct the test on the production environment using anonymized production data.
Use an automated vulnerability scanner on the production environment.
Perform the test during off-peak hours on the production system with read-only access.
Build a replica of the production environment and test against it with realistic attack scenarios.
A replica environment allows full attack simulation without risking production data.
A security auditor is reviewing the results of a recently completed internal vulnerability scan. The scan report shows several hosts with the same vulnerability. Which of the following actions should the auditor take FIRST?
Manually verify the vulnerability on a sample of affected hosts.
Manual verification confirms the finding and reduces false positives.
Immediately apply patches to all affected hosts.
Remove the hosts from the network until the vulnerability is resolved.
Re-run the scan with a different scanner.
Want more Security Assessment and Testing practice?
Practice this domainA healthcare organization implements a policy requiring all employees to use biometric fingerprint scanners to access patient records. Which of the following is the MOST significant risk associated with this authentication method?
Biometric data cannot be revoked or changed if compromised
Biometric traits are permanent; once stolen, they cannot be replaced.
High false acceptance rate leading to unauthorized access
Low user acceptance due to privacy concerns
Increased login time compared to password authentication
A multinational corporation deploys a single sign-on (SSO) solution using SAML 2.0 across all subsidiaries. Recently, users in one subsidiary report being unable to access an internal application. The identity provider (IdP) logs show successful authentication, but the service provider (SP) logs indicate assertion validation failures. Which of the following is the MOST likely cause?
The system clocks on the IdP and SP are significantly out of sync
SAML assertions include timestamps; clock skew leads to validation failure.
The SP is configured to require a specific SAML attribute not present in the assertion
The IdP server for the subsidiary is temporarily unreachable
The SAML certificate used by the SP has expired
An organization wants to implement a password policy that balances security and usability. Which of the following is the BEST practice according to current NIST guidelines?
Compare new passwords against a list of known compromised passwords
This prevents use of common passwords from breach data.
Set maximum password length to 8 characters
Require password changes every 30 days
Enforce a minimum of one uppercase, one lowercase, one digit, and one special character
A company uses Role-Based Access Control (RBAC) for its ERP system. A user in the 'Accounts Payable' role needs to temporarily approve purchase orders up to $10,000 while the 'Purchasing Manager' is on leave. What is the BEST way to grant this access?
Share the Purchasing Manager's account credentials with the user
Temporarily assign the 'Purchasing Approver' role to the user with an expiration date
This grants needed access for a limited time, maintaining least privilege.
Modify the 'Accounts Payable' role to include purchase order approval permissions
Create a new role with the exact permissions needed and assign it to the user
A security analyst discovers that a service account in Active Directory has not had its password changed in 5 years and has domain admin privileges. The account is used by a legacy application that does not support modern authentication protocols. Which of the following is the MOST secure approach to manage this account?
Convert the account to a group Managed Service Account (gMSA)
Set a very long, complex password and store it in a password manager
Decommission the legacy application and migrate to a modern alternative that supports secure authentication
Eliminates the risk entirely by removing the service account.
Disable the account and create a new service account with limited privileges
A company wants to implement multi-factor authentication (MFA) for remote access. Which combination of factors represents something you have and something you are?
Password and PIN
Hardware token and mobile phone
Smart card and fingerprint
Smart card (possession) + fingerprint (inherence) = two factors.
Password and SMS code
Want more Identity and Access Management practice?
Practice this domainA development team is adopting a secure SDLC. Which phase should include threat modeling to identify potential security vulnerabilities early?
Implementation
Design
Threat modeling is a design-time activity that helps identify and address security threats before implementation.
Testing
Requirements gathering
A software company uses a third-party library that has a known critical vulnerability. The library is used extensively and rewriting the code would take months. What is the BEST immediate action to reduce risk?
Remove the library from the codebase immediately
Disable the vulnerable feature in the library
Increase logging and monitoring to detect exploitation attempts
Implement a Web Application Firewall (WAF) rule to block exploitation
A WAF can provide virtual patching to mitigate the vulnerability in transit.
During a code review, a developer encounters the following code snippet in a Java web application used to authenticate users:
String query = "SELECT * FROM users WHERE username = '" + request.getParameter("user") + "' AND password = '" + request.getParameter("pass") + "'";
Which of the following is the MOST effective remediation?
Use regular expressions to validate the username and password inputs
Encode the input using HTML entity encoding before inclusion in the query
Escape single quotes in the input parameters
Replace the concatenated query with a prepared statement and bind parameters
Prepared statements ensure user input is treated as data, not executable SQL.
An organization is migrating from a waterfall to an Agile development methodology. Which of the following is a key security advantage of Agile?
Security testing is performed only at the end of the project
Security issues can be addressed incrementally throughout development
Agile's short cycles allow for prompt remediation of security findings.
Security requirements are finalized upfront
Security documentation is minimized to reduce overhead
A company is deploying a containerized application using Kubernetes. Which practice BEST ensures the security of the container images?
Scan images for vulnerabilities and use minimal base images
Vulnerability scanning and minimal images reduce risk.
Restrict containers from running as root
Use the latest version of the base image without scanning
Enable container escape protection
A development team is implementing a microservices architecture. Which of the following is the BEST approach to secure inter-service communication?
Use JSON Web Tokens (JWT) for each request
Use API keys transmitted in HTTP headers
Place all services behind a single API gateway
Implement mutual TLS (mTLS) between services
mTLS provides strong authentication and encryption for inter-service communication.
Want more Software Development Security practice?
Practice this domainA financial institution is implementing a data retention policy to comply with regulatory requirements. The policy must ensure that transaction records are retained for 7 years and then securely destroyed. Which of the following is the BEST approach to implement this policy?
Encrypt all records and destroy the encryption keys after 7 years
Automatically purge records using a data management tool that overwrites data after the retention period
Automated purging ensures consistent and timely destruction, reducing human error and ensuring compliance.
Move records to a separate archive and delete the directory pointers
Manually review and delete records after 7 years
During a security audit, it is discovered that a company's data classification labels are inconsistently applied across different departments. Which of the following is the BEST long-term solution to ensure consistent data classification?
Conduct annual retraining on data classification policies
Implement automated data classification tools that apply labels based on content and context
Automation reduces human error and ensures consistent application of classification labels.
Adopt a single classification level for all data to eliminate confusion
Assign a data owner in each department to manually review and classify data
An organization wants to protect sensitive data stored on laptops. Which of the following is the MOST effective control to prevent data loss if a laptop is stolen?
BIOS password
Asset tracking software
Full-disk encryption (FDE)
FDE encrypts the entire drive, making data inaccessible without the key.
Remote wipe capability
A healthcare organization is moving patient records to a cloud storage service. Which of the following is the MOST important requirement to ensure data security and compliance with HIPAA?
Multi-factor authentication for all cloud access
Encryption of data in transit using TLS 1.2
A signed Business Associate Agreement (BAA) with the cloud provider
A BAA is required under HIPAA to ensure the cloud provider handles PHI appropriately.
Encryption of data at rest using AES-256
A company is decommissioning a data center and needs to dispose of hard drives that contained highly confidential financial data. Which of the following methods provides the HIGHEST assurance that data cannot be recovered?
Overwriting the drives with multiple passes of random data
Shredding the drives into small pieces
Physical destruction makes data recovery physically impossible.
Degaussing the drives
Overwriting the drives with a single pass of zeros
Which TWO of the following are essential components of a data classification policy? (Select two.)
Data retention periods for each classification level
Roles and responsibilities for data classification
Defining who is responsible for classifying data is essential.
Definition of classification levels (e.g., public, confidential, secret)
Classification levels are a core component of the policy.
Methods for secure data destruction
Encryption standards for each classification level
Want more Asset Security practice?
Practice this domainA security analyst notices repeated failed login attempts from an internal IP address on the domain controller. After enabling account lockout, the lockouts continue but the source IP changes. What is the best next step?
Analyze the log events to identify the attack pattern and implement additional controls such as MFA
Understanding the attack pattern allows for targeted controls like requiring MFA for the targeted account or blocking the attack vector.
Increase the account lockout threshold
Ignore the event as it is likely a false positive
Disable the user account being targeted
A SOC analyst receives an alert for a suspicious outbound connection from a server in the DMZ to an external IP on port 443. The server is a web application server that should only communicate internally. The analyst checks the process and finds it is 'svchost.exe' running from a non-standard path. What is the most appropriate immediate action?
Isolate the server from the network
Isolation stops the malicious outbound connection and prevents further damage, allowing for later forensic analysis.
Initiate a full incident response investigation
Disregard the alert because svchost.exe is a legitimate Windows process
Terminate the suspicious process
During a security audit, an organization discovers that several employees are sharing a single generic account to access a critical database. Which principle of security operations is being violated?
Accountability
Account sharing removes the ability to trace actions to an individual, violating accountability.
Separation of duties
Defense in depth
Least privilege
A security engineer is designing a new SIEM correlation rule to detect potential data exfiltration. The rule should trigger when a single internal host sends more than 10 MB of data to an external IP address within a 5-minute window, but only if the external IP is not on a whitelist of known business partners. Which approach best minimizes false positives while ensuring effective detection?
Apply the rule to all internal hosts with the same threshold
Trigger only when the destination IP is in a threat intelligence feed of known malicious IPs
Use a baseline of normal traffic per host and trigger only when the volume exceeds the baseline by a significant margin
Baselines allow the rule to adapt to each host's typical behavior, reducing false positives while detecting anomalies.
Set a static threshold of 10 MB for all hosts, but exclude traffic to common cloud storage providers
A company's security policy requires that all removable media be encrypted. An employee plugs in a USB drive and is prompted to format it before use. After formatting, the drive is not encrypted. What is the most likely reason?
The employee did not enable encryption (e.g., BitLocker To Go) after formatting
Encryption is a separate step that must be explicitly enabled, e.g., via BitLocker To Go.
The USB drive hardware does not support encryption
The operating system does not support encryption of removable media
The employee used the wrong file system (FAT32 vs NTFS)
An organization is implementing a new backup strategy for its critical servers. The backup must support rapid restoration of individual files and allow for a recovery point objective (RPO) of no more than 15 minutes. Which backup method should be used for daily operations?
Full backup every 24 hours
Continuous data protection (CDP)
CDP captures every write, enabling restoration to any point within seconds, meeting the RPO.
Differential backup every 6 hours
Incremental backup every 4 hours
Want more Security Operations practice?
Practice this domainThe CISSP exam has 125 questions and must be completed in 240 minutes. The passing score is 700/1000.
Scenario-based management and technical questions across security governance, risk, architecture, identity, network, application, and operations domains.
The exam covers 8 domains: Security and Risk Management, Security Architecture and Engineering, Communication and Network Security, Security Assessment and Testing, Identity and Access Management, Software Development Security, Asset Security, Security Operations. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official ISC2 CISSP exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.