CISSP · topic practice

Security Operations practice questions

Practise Certified Information Systems Security Professional CISSP Security Operations practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Operations

What the exam tests

What to know about Security Operations

Security Operations questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security Operations exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security Operations questions

20 questions · select your answer, then reveal the explanation

During a security incident, an organization's SOC team identifies a series of unauthorized access attempts from an external IP address. The incident manager needs to escalate this to the appropriate team. According to the incident response plan, which role is primarily responsible for coordinating the response and communicating with stakeholders?

An organization's disaster recovery plan specifies a Recovery Time Objective (RTO) of 4 hours for its critical financial application. Which disaster recovery site would be MOST appropriate to meet this RTO?

A forensic investigator arrives at a crime scene involving a compromised server. The server is still running. According to the order of volatility, which of the following should the investigator capture FIRST?

Which of the following BEST describes the difference between a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP)?

A SOC team is using a SIEM to correlate events from multiple sources. They want to automate responses to common threats. Which technology should they integrate to achieve security orchestration and automation?

An organization's data loss prevention (DLP) solution is configured to block emails containing credit card numbers. This is an example of which type of DLP control?

During a vulnerability management lifecycle, after vulnerabilities are identified and prioritized, what is the NEXT step?

Which of the following metrics is used to determine the maximum amount of data loss an organization can tolerate in a disaster?

An organization is implementing a change management process. Which group is responsible for reviewing and approving major changes?

What is the PRIMARY purpose of a chain of custody in digital forensics?

Question 11mediummultiple choice
Read the full DNS explanation →

A SOC has three tiers: Tier 1 triages alerts, Tier 2 investigates, and Tier 3 performs advanced analysis. An alert about a potential data exfiltration using DNS tunneling is escalated from Tier 1. Which tier is BEST suited to perform deep packet inspection and memory forensics to confirm the exfiltration?

An organization is recovering from a ransomware attack that encrypted critical servers. The backup strategy must ensure that the Recovery Point Objective (RPO) of 1 hour is met. Which backup method is MOST appropriate?

A security analyst is examining a memory dump from a compromised workstation. Which TWO tools are commonly used for memory forensics?

An organization is updating its incident response plan. According to best practices, which THREE components should be included in the plan?

A company is designing a disaster recovery strategy for its e-commerce platform. The platform requires an RTO of 2 hours and an RPO of 15 minutes. Which TWO strategies would BEST meet these requirements?

An organization is developing an incident response plan. Which component is responsible for defining the specific conditions that constitute an incident?

During a digital forensics investigation, a security analyst must preserve evidence in order of volatility. Which of the following represents the correct sequence from most volatile to least volatile?

A company is selecting a disaster recovery site for critical applications that must be restored within 4 hours with minimal data loss. Which site type best meets these requirements?

A SOC analyst receives an alert from the SIEM indicating a large volume of outbound data from a sensitive database server to an external IP address. The analyst queries the SIEM and finds the server communicated with the external IP during non-business hours. Which type of incident is most likely occurring?

Which metric defines the maximum amount of data loss an organization can tolerate during a disaster?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Operations sessions

Start a Security Operations only practice session

Every question in these sessions is drawn from the Security Operations domain — nothing else.

Related practice questions

Related CISSP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISSP exam test about Security Operations?
Security Operations questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Operations questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Operations domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISSP topics?
Use the topic links above to move to related areas, or go back to the CISSP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISSP exam covers. They are not copied from any real exam or dump site.