CISSP · topic practice

Security Assessment and Testing practice questions

Practise Certified Information Systems Security Professional CISSP Security Assessment and Testing practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Assessment and Testing

What the exam tests

What to know about Security Assessment and Testing

Security Assessment and Testing questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security Assessment and Testing exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security Assessment and Testing questions

20 questions · select your answer, then reveal the explanation

A security analyst is asked to identify vulnerabilities in a web application without attempting to exploit them. Which type of assessment is being performed?

During a penetration test, the tester has obtained initial access and is now trying to move laterally to other systems. Which phase of the penetration testing process does this represent?

A company wants to ensure its internal web application is free from security flaws during development. Which testing approach analyzes source code without executing the program?

Which of the following is a key component of the rules of engagement for a penetration test?

A security auditor is assessing whether a company's controls comply with ISO 27001. What type of audit is being conducted?

Which vulnerability scoring system provides a standardized severity rating for vulnerabilities based on exploitability and impact metrics?

A company wants to measure the effectiveness of its vulnerability management program. Which metric would best indicate the organization's ability to respond quickly to critical vulnerabilities?

Which type of SOC report provides a public summary of an organization's controls over security, availability, and confidentiality?

An organization is required to retain security logs for a minimum of one year to meet compliance regulations. Which practice is most directly related to this requirement?

During a security audit, the auditor selects a sample of user access reviews to verify that access rights are properly managed. This type of testing is best described as:

Which type of scanning provides the most comprehensive view of an organization's vulnerabilities by allowing the scanner to log into systems and access detailed configuration information?

A company hires a third party to perform an assessment where the testers are given no prior knowledge of the internal network. This type of penetration test is known as:

A security manager is planning a penetration test and needs to ensure proper rules of engagement are established. Which TWO of the following are essential components of the rules of engagement?

An organization is selecting security metrics to report to the board. Which THREE metrics would best demonstrate the effectiveness of the vulnerability management program?

A company is preparing for a PCI DSS assessment. Which TWO of the following are likely to be required as part of the assessment?

A security analyst is conducting a vulnerability scan of a web application. The scan identifies several vulnerabilities, but the analyst wants to minimize false positives. Which type of vulnerability scan would be most appropriate?

During a penetration test, the tester successfully exploits a vulnerability in a web server and gains initial access. The next step in the penetration testing process is to:

An organization wants to ensure that its web application is secure by analyzing the source code for vulnerabilities without executing the code. Which type of testing is most appropriate?

A company is preparing for an external audit to comply with PCI DSS. Which type of auditor is typically required to perform this assessment?

Which of the following is the primary purpose of a security audit?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Assessment and Testing sessions

Start a Security Assessment and Testing only practice session

Every question in these sessions is drawn from the Security Assessment and Testing domain — nothing else.

Related practice questions

Related CISSP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISSP exam test about Security Assessment and Testing?
Security Assessment and Testing questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Assessment and Testing questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Assessment and Testing domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISSP topics?
Use the topic links above to move to related areas, or go back to the CISSP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISSP exam covers. They are not copied from any real exam or dump site.