CISSP · topic practice

Security and Risk Management practice questions

Practise Certified Information Systems Security Professional CISSP Security and Risk Management practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security and Risk Management

What the exam tests

What to know about Security and Risk Management

Security and Risk Management questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security and Risk Management exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security and Risk Management questions

20 questions · select your answer, then reveal the explanation

Question 1easymultiple choice
Study the full AAA explanation →

An organization is implementing a new access control system. Which of the following represents the correct order of the AAA framework components?

A security analyst is evaluating the risk of a data breach. The asset value of the database is $100,000, and the exposure factor is 0.5. If the annual rate of occurrence is 0.2, what is the annualized loss expectancy (ALE)?

Under the ISC2 Code of Ethics, which canon takes precedence over all others?

A company is migrating its critical application to a cloud provider. Which disaster recovery strategy provides the shortest recovery time objective (RTO) and recovery point objective (RPO)?

Which governance framework provides guidance specifically for aligning IT services with business needs and includes a service lifecycle?

In a qualitative risk assessment, a risk with a likelihood rating of 'High' and an impact rating of 'Critical' would typically fall into which category?

Which of the following is an example of a security policy?

Under GDPR, which of the following is a valid lawful basis for processing personal data?

A hospital is subject to HIPAA. Which of the following is required when sharing protected health information (PHI) with a third-party billing company?

In a quantitative risk analysis, if the single loss expectancy (SLE) is $15,000 and the annual rate of occurrence (ARO) is 0.5, what is the annualized loss expectancy (ALE)?

Which of the following is a key objective of a business impact analysis (BIA)?

Under the Sarbanes-Oxley Act (SOX), which of the following is an example of an IT general control that supports financial reporting?

A security manager is choosing a risk response for a high-impact, high-likelihood risk. Which TWO responses are most appropriate? (Select TWO)

Which THREE of the following are data subject rights under the GDPR? (Select THREE)

A company is implementing PCI DSS compliance. Which THREE requirements are part of the PCI DSS? (Select THREE)

Which of the following is the primary purpose of the CIA triad in information security?

An organization is implementing a new access control system. The security team wants to ensure that users cannot deny having performed an action. Which security principle is being addressed?

A company uses a qualitative risk analysis matrix where likelihood ranges from 1 to 5 and impact ranges from 1 to 5. A risk with a likelihood of 4 and an impact of 5 would fall into which risk level if the matrix defines high risk as scores above 15, medium as 10-15, and low as below 10?

During a business impact analysis (BIA), the recovery point objective (RPO) for a critical database is determined to be 2 hours. What does this mean?

Which of the following is a key requirement under the GDPR regarding personal data breaches?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security and Risk Management sessions

Start a Security and Risk Management only practice session

Every question in these sessions is drawn from the Security and Risk Management domain — nothing else.

Related practice questions

Related CISSP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISSP exam test about Security and Risk Management?
Security and Risk Management questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security and Risk Management questions in a focused session?
Yes — the session launcher on this page draws every question from the Security and Risk Management domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISSP topics?
Use the topic links above to move to related areas, or go back to the CISSP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISSP exam covers. They are not copied from any real exam or dump site.
Certified Information Systems Security Professional CISSP Security and Risk Management Practice Questions with Explanations | Courseiva