Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security and Risk Management practice sets

CISSP Security and Risk Management • Complete Question Bank

CISSP Security and Risk Management — All Questions With Answers

Complete CISSP Security and Risk Management question bank — all 0 questions with answers and detailed explanations.

74
Questions
Free
No signup
Certifications/CISSP/Practice Test/Security and Risk Management/All Questions
Question 1easymultiple choice
Study the full AAA explanation →

An organization is implementing a new access control system. Which of the following represents the correct order of the AAA framework components?

Question 2easymultiple choice
Read the full Security and Risk Management explanation →

A security analyst is evaluating the risk of a data breach. The asset value of the database is $100,000, and the exposure factor is 0.5. If the annual rate of occurrence is 0.2, what is the annualized loss expectancy (ALE)?

Question 3mediummultiple choice
Read the full Security and Risk Management explanation →

Under the ISC2 Code of Ethics, which canon takes precedence over all others?

Question 4mediummultiple choice
Read the full Security and Risk Management explanation →

A company is migrating its critical application to a cloud provider. Which disaster recovery strategy provides the shortest recovery time objective (RTO) and recovery point objective (RPO)?

Question 5mediummultiple choice
Read the full Security and Risk Management explanation →

Which governance framework provides guidance specifically for aligning IT services with business needs and includes a service lifecycle?

Question 6mediummultiple choice
Read the full Security and Risk Management explanation →

In a qualitative risk assessment, a risk with a likelihood rating of 'High' and an impact rating of 'Critical' would typically fall into which category?

Question 7easymultiple choice
Read the full Security and Risk Management explanation →

Which of the following is an example of a security policy?

Question 8mediummultiple choice
Read the full Security and Risk Management explanation →

Under GDPR, which of the following is a valid lawful basis for processing personal data?

Question 9hardmultiple choice
Read the full Security and Risk Management explanation →

A hospital is subject to HIPAA. Which of the following is required when sharing protected health information (PHI) with a third-party billing company?

Question 10hardmultiple choice
Read the full Security and Risk Management explanation →

In a quantitative risk analysis, if the single loss expectancy (SLE) is $15,000 and the annual rate of occurrence (ARO) is 0.5, what is the annualized loss expectancy (ALE)?

Question 11mediummultiple choice
Read the full Security and Risk Management explanation →

Which of the following is a key objective of a business impact analysis (BIA)?

Question 12hardmultiple choice
Read the full Security and Risk Management explanation →

Under the Sarbanes-Oxley Act (SOX), which of the following is an example of an IT general control that supports financial reporting?

Question 13mediummulti select
Read the full Security and Risk Management explanation →

A security manager is choosing a risk response for a high-impact, high-likelihood risk. Which TWO responses are most appropriate? (Select TWO)

Question 14mediummulti select
Read the full Security and Risk Management explanation →

Which THREE of the following are data subject rights under the GDPR? (Select THREE)

Question 15hardmulti select
Read the full Security and Risk Management explanation →

A company is implementing PCI DSS compliance. Which THREE requirements are part of the PCI DSS? (Select THREE)

Question 16easymultiple choice
Read the full Security and Risk Management explanation →

Which of the following is the primary purpose of the CIA triad in information security?

Question 17mediummultiple choice
Read the full Security and Risk Management explanation →

An organization is implementing a new access control system. The security team wants to ensure that users cannot deny having performed an action. Which security principle is being addressed?

Question 18hardmultiple choice
Read the full Security and Risk Management explanation →

A company uses a qualitative risk analysis matrix where likelihood ranges from 1 to 5 and impact ranges from 1 to 5. A risk with a likelihood of 4 and an impact of 5 would fall into which risk level if the matrix defines high risk as scores above 15, medium as 10-15, and low as below 10?

Question 19mediummultiple choice
Read the full Security and Risk Management explanation →

During a business impact analysis (BIA), the recovery point objective (RPO) for a critical database is determined to be 2 hours. What does this mean?

Question 20mediummultiple choice
Read the full Security and Risk Management explanation →

Which of the following is a key requirement under the GDPR regarding personal data breaches?

Question 21easymultiple choice
Read the full Security and Risk Management explanation →

According to the ISC2 Code of Ethics, which of the following canons has the highest priority when resolving an ethical dilemma?

Question 22mediummultiple choice
Read the full Security and Risk Management explanation →

A security manager is calculating the annual loss expectancy (ALE) for a server valued at $50,000. The exposure factor (EF) is 40%, and the annual rate of occurrence (ARO) is 0.5. What is the ALE?

Question 23hardmultiple choice
Read the full Security and Risk Management explanation →

Under the PCI DSS, which of the following best describes a 'cardholder data environment' (CDE)?

Question 24easymultiple choice
Study the full AAA explanation →

Which component of the AAA framework is responsible for determining what resources a user can access and what actions they can perform?

Question 25mediummultiple choice
Read the full Security and Risk Management explanation →

An organization is implementing a BCP. After completing the BIA, which of the following is the next logical step in the planning process?

Question 26mediummultiple choice
Read the full Security and Risk Management explanation →

Which of the following is a key difference between a policy and a guideline in information security governance?

Question 27hardmultiple choice
Read the full Security and Risk Management explanation →

A healthcare organization covered by HIPAA wants to share protected health information (PHI) with a third-party billing service. What must be in place to comply with HIPAA?

Question 28mediummulti select
Read the full Security and Risk Management explanation →

A security auditor is reviewing an organization's governance framework. Which TWO of the following are commonly used frameworks for IT governance and security management?

Question 29hardmulti select
Read the full Security and Risk Management explanation →

A company is recovering from a ransomware attack. Which THREE of the following are key considerations when restoring data from backups to ensure integrity and minimal downtime?

Question 30easymulti select
Read the full Security and Risk Management explanation →

Which TWO of the following are examples of risk response strategies?

Question 31easymultiple choice
Read the full Security and Risk Management explanation →

Which of the following is the PRIMARY purpose of the confidentiality principle in the CIA triad?

Question 32easymultiple choice
Read the full Security and Risk Management explanation →

An organization is implementing a new governance framework to align IT with business goals. Which framework is specifically designed for IT service management?

Question 33mediummultiple choice
Read the full Security and Risk Management explanation →

A security team is performing a quantitative risk analysis for a server valued at $100,000. The exposure factor is 0.4 and the annual rate of occurrence is 2. What is the annualized loss expectancy (ALE)?

Question 34mediummultiple choice
Read the full Security and Risk Management explanation →

Under the GDPR, what is the maximum time frame for notifying the supervisory authority of a personal data breach?

Question 35mediummultiple choice
Read the full Security and Risk Management explanation →

Which of the following is the correct order of priority for the ISC2 Code of Ethics Canons?

Question 36hardmultiple choice
Read the full Security and Risk Management explanation →

A security analyst is evaluating risks using a qualitative matrix. The likelihood is rated as 'high' and the impact as 'medium'. What is the overall risk level typically assigned in a 3x3 matrix?

Question 37easymultiple choice
Read the full Security and Risk Management explanation →

Which document provides detailed step-by-step instructions for performing a specific security task?

Question 38mediummultiple choice
Read the full Security and Risk Management explanation →

A company decides to purchase cyber insurance to cover potential losses from data breaches. Which risk response strategy does this represent?

Question 39hardmultiple choice
Read the full Security and Risk Management explanation →

Under HIPAA, what is the primary purpose of a Business Associate Agreement (BAA)?

Question 40mediummultiple choice
Read the full Security and Risk Management explanation →

Which of the following is the PRIMARY goal of a Business Impact Analysis (BIA) in business continuity planning?

Question 41mediummultiple choice
Read the full Security and Risk Management explanation →

A company is implementing PCI DSS compliance. Which requirement is related to protecting cardholder data at rest?

Question 42hardmultiple choice
Read the full Security and Risk Management explanation →

An organization has identified a risk with a high likelihood and high impact. Management decides to implement controls to reduce the likelihood. After controls, the risk is reassessed as medium likelihood and medium impact. What is the residual risk?

Question 43mediummulti select
Read the full Security and Risk Management explanation →

Which TWO of the following are lawful bases for processing personal data under the GDPR? (Select two)

Question 44hardmulti select
Read the full Security and Risk Management explanation →

Which THREE of the following are key components of a disaster recovery plan for a hot site? (Select three)

Question 45mediummulti select
Read the full Security and Risk Management explanation →

Which TWO of the following are examples of non-repudiation controls? (Select two)

Question 46mediummultiple choice
Read the full Security and Risk Management explanation →

A security analyst is evaluating the risk of a data breach in a healthcare organization. The asset value of the patient database is $500,000, and the exposure factor is 0.2. The annual rate of occurrence is estimated at 0.1. What is the annualized loss expectancy (ALE)?

Question 47easymultiple choice
Read the full Security and Risk Management explanation →

Which of the following is the correct order of the ISC2 Code of Ethics canons from highest to lowest priority?

Question 48mediummultiple choice
Read the full Security and Risk Management explanation →

An organization is implementing a new access control system. They want to ensure that users are who they claim to be, that actions can be traced to individuals, and that access rights are managed appropriately. Which framework encompasses all three of these goals?

Question 49hardmultiple choice
Read the full Security and Risk Management explanation →

Under the GDPR, a data controller experiences a personal data breach that is likely to result in a risk to the rights and freedoms of individuals. What is the maximum time frame within which the controller must notify the supervisory authority?

Question 50easymultiple choice
Read the full Security and Risk Management explanation →

Which type of risk remains after management has implemented controls to mitigate the identified risks?

Question 51mediummultiple choice
Read the full Security and Risk Management explanation →

A financial institution is required to comply with SOX. Which of the following is a key focus area for IT under SOX?

Question 52mediummultiple choice
Read the full Security and Risk Management explanation →

During a business impact analysis (BIA), which metric represents the maximum amount of time a business process can be disrupted before causing significant harm to the organization?

Question 53mediummultiple choice
Read the full Security and Risk Management explanation →

In qualitative risk analysis, a risk is assessed with a likelihood of 4 (on a scale of 1-5) and an impact of 5. The risk matrix defines scores of 15-25 as high. What is the risk rating?

Question 54easymultiple choice
Read the full Security and Risk Management explanation →

Which document is mandatory, high-level, and sets the direction for security within an organization?

Question 55hardmultiple choice
Read the full Security and Risk Management explanation →

Under HIPAA, a covered entity must have a Business Associate Agreement (BAA) with which of the following?

Question 56mediummultiple choice
Read the full Security and Risk Management explanation →

An organization wants to avoid a particular risk entirely by not engaging in the activity that creates the risk. Which risk response strategy is being used?

Question 57easymultiple choice
Read the full Security and Risk Management explanation →

Which component of the CIA triad ensures that information is not disclosed to unauthorized individuals, entities, or processes?

Question 58hardmultiple choice
Read the full Security and Risk Management explanation →

A company is designing a disaster recovery plan. They need to recover critical systems within 4 hours and lose no more than 15 minutes of data. Which combination of RTO and RPO should be specified?

Question 59mediummultiple choice
Read the full Security and Risk Management explanation →

Which governance framework is specifically designed to help organizations manage and protect their information assets by providing a comprehensive set of controls based on a risk management approach?

Question 60mediummultiple choice
Read the full Security and Risk Management explanation →

A company is implementing a hot site as a disaster recovery option. Which of the following best describes a hot site?

Question 61mediummulti select
Read the full Security and Risk Management explanation →

A security officer is developing a risk management plan. Which TWO of the following are valid risk response strategies? (Select TWO.)

Question 62hardmulti select
Read the full Security and Risk Management explanation →

Under the GDPR, which THREE of the following are rights of data subjects? (Select THREE.)

Question 63mediummulti select
Read the full Security and Risk Management explanation →

In the context of business continuity planning, which THREE of the following are typically identified during a business impact analysis (BIA)? (Select THREE.)

Question 64easymultiple choice
Read the full Security and Risk Management explanation →

An organization's security policy requires that all data at rest must be encrypted. Which security principle is primarily being addressed?

Question 65mediummultiple choice
Read the full Security and Risk Management explanation →

A company is implementing a risk management program. They have identified a critical server with an asset value of $50,000. The exposure factor due to a potential threat is 40%, and the annual rate of occurrence is 2. What is the Annualized Loss Expectancy (ALE)?

Question 66mediummultiple choice
Read the full Security and Risk Management explanation →

During a Business Impact Analysis (BIA), the maximum amount of time a business process can be unavailable before causing significant harm is determined. Which metric represents this?

Question 67hardmultiple choice
Read the full Security and Risk Management explanation →

A security manager is evaluating risk responses for a high-likelihood, low-impact risk. The cost of mitigation exceeds the potential loss. Which risk response strategy is most appropriate?

Question 68easymultiple choice
Read the full Security and Risk Management explanation →

Under the ISC2 Code of Ethics, which canon has the highest priority?

Question 69mediummultiple choice
Read the full Security and Risk Management explanation →

An organization is required to report a personal data breach to the supervisory authority within 72 hours. Which regulation imposes this requirement?

Question 70hardmultiple choice
Read the full Security and Risk Management explanation →

A company's disaster recovery plan includes an agreement with another company to provide backup computing facilities in case of a disaster. The agreement allows the second company to use the facilities for its own operations if needed. This arrangement is best described as:

Question 71easymulti select
Study the full AAA explanation →

Which TWO of the following are elements of the AAA framework in security?

Question 72mediummulti select
Read the full Security and Risk Management explanation →

According to the ISC2 Code of Ethics, which TWO canons are listed in the correct order of priority (highest to lowest)?

Question 73mediummulti select
Read the full Security and Risk Management explanation →

Which THREE of the following are valid risk response strategies?

Question 74hardmulti select
Read the full Security and Risk Management explanation →

Under GDPR, which TWO of the following are valid lawful bases for processing personal data?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISSP Practice Test 1 — 25 Questions→CISSP Practice Test 2 — 25 Questions→CISSP Practice Test 3 — 25 Questions→CISSP Practice Test 4 — 25 Questions→CISSP Practice Test 5 — 25 Questions→CISSP Practice Exam 1 — 20 Questions→CISSP Practice Exam 2 — 20 Questions→CISSP Practice Exam 3 — 20 Questions→CISSP Practice Exam 4 — 20 Questions→Free CISSP Practice Test 1 — 30 Questions→Free CISSP Practice Test 2 — 30 Questions→Free CISSP Practice Test 3 — 30 Questions→CISSP Practice Questions 1 — 50 Questions→CISSP Practice Questions 2 — 50 Questions→CISSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security and Risk ManagementAsset SecuritySecurity OperationsSecurity Architecture and EngineeringCommunication and Network SecuritySecurity Assessment and TestingSoftware Development SecurityIdentity and Access Management

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security and Risk Management setsAll Security and Risk Management questionsCISSP Practice Hub