CISSP · topic practice

Security and Risk Management practice questions

Practise Certified Information Systems Security Professional CISSP Security and Risk Management practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security and Risk Management

What the exam tests

What to know about Security and Risk Management

Security and Risk Management questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security and Risk Management exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security and Risk Management questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is expanding its operations into a new country with strict data protection laws. The company needs to ensure compliance while maintaining operational efficiency. Which of the following is the BEST approach to manage this risk?

A company's security team discovers that an employee inadvertently shared sensitive customer data via a public cloud storage link. The incident response team contains the breach and notifies affected customers. Which of the following risk management strategies would BEST prevent recurrence?

A small business wants to implement a security policy that balances protection with usability. Which of the following is the MOST important factor when developing the policy?

During a risk assessment, a company identifies that its primary data center is located in a flood-prone area. The estimated annual loss expectancy (ALE) for a flood event is $500,000. Installing flood barriers costs $200,000 and reduces the ALE to $50,000. What is the net benefit of implementing the flood barriers?

An organization is developing a business continuity plan (BCP) for its critical IT systems. Which of the following is the FIRST step in the BCP process?

A security manager is tasked with classifying data based on its sensitivity. Which of the following is the PRIMARY reason for data classification?

A company is considering outsourcing its customer support operations to a third-party vendor. Which of the following should be the PRIMARY risk management activity before finalizing the contract?

An organization needs to ensure that its employees understand their responsibilities regarding information security. Which of the following is the MOST effective way to achieve this?

Which TWO of the following are key components of an Information Security Governance framework? (Select exactly 2)

Which THREE of the following are valid risk treatment options according to ISO 31000? (Select exactly 3)

Which TWO of the following are examples of administrative controls? (Select exactly 2)

Question 12hardmultiple choice
Read the full NAT/PAT explanation →

A data classification policy is shown. A database contains a field labeled 'SSN' that matches the pattern for 'employee_id'. What action should be applied to the SSN field?

Exhibit

Refer to the exhibit.
```
Policy: data_classification
{
  "rules": [
    {
      "pattern": "credit_card_number",
      "classification": "restricted",
      "action": "encrypt"
    },
    {
      "pattern": "employee_id",
      "classification": "internal",
      "action": "mask"
    },
    {
      "pattern": "public_info",
      "classification": "public",
      "action": "none"
    }
  ]
}
```

Based on the exhibit, what security control is being demonstrated?

Exhibit

Refer to the exhibit.
```
Error log:
2025-03-15 14:23:45 ERROR Authentication failed for user 'admin' from IP 192.168.1.100. Reason: Invalid credentials.
2025-03-15 14:23:47 ERROR Authentication failed for user 'admin' from IP 192.168.1.100. Reason: Invalid credentials.
2025-03-15 14:23:49 ERROR Authentication failed for user 'admin' from IP 192.168.1.100. Reason: Invalid credentials.
2025-03-15 14:23:51 ERROR Account locked for user 'admin' due to multiple failed attempts.
```
Question 14hardmultiple choice
Read the full NAT/PAT explanation →

You are the CISO of a medium-sized healthcare organization that recently migrated patient records to a cloud-based EHR system. The system stores Protected Health Information (PHI) and is subject to HIPAA regulations. Three months after migration, the compliance team reports that the EHR vendor experienced a data breach exposing 5,000 patient records due to a misconfigured database. Your organization's contract with the vendor includes a clause that holds the vendor liable for breaches caused by their negligence. However, the vendor is refusing to pay the full cost of breach notification and credit monitoring, citing a limitation of liability clause that caps damages at $100,000. The actual costs are estimated at $500,000. Your organization's cyber insurance policy has a $250,000 deductible and covers losses up to $1 million, but excludes losses due to vendor negligence. You need to manage this risk effectively. Which of the following is the BEST course of action?

You are the security manager for a financial services firm that processes credit card transactions. The company is required to comply with PCI DSS. During a recent internal audit, you discover that the network segmentation between the cardholder data environment (CDE) and the corporate network is not properly implemented. Specifically, a firewall rule allows unrestricted traffic from the corporate network to the CDE. This exposes sensitive cardholder data to potential unauthorized access. The IT manager argues that this rule is necessary for business operations because several applications need to access the CDE for reporting purposes. You need to address this risk while minimizing business disruption. Which of the following is the BEST course of action?

Drag and drop the steps for conducting a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each security control to its category (preventive, detective, corrective).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Preventive

Detective

Corrective

Preventive

Detective

A company is conducting a risk assessment and needs to prioritize risks based on both likelihood and impact. The risk management team decides to use a quantitative approach. Which of the following is a key advantage of using quantitative risk analysis over qualitative risk analysis?

An organization is developing a business continuity plan (BCP). The IT department has identified a critical application that must be restored within 4 hours of a disruption. Which metric defines the maximum acceptable time that the application can be unavailable?

Question 20hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is establishing a security governance framework. The board of directors wants to ensure that information security strategy aligns with business objectives. Which role is primarily responsible for integrating security into the organization's strategic decision-making?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security and Risk Management sessions

Start a Security and Risk Management only practice session

Every question in these sessions is drawn from the Security and Risk Management domain — nothing else.

Related practice questions

Related CISSP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISSP exam test about Security and Risk Management?
Security and Risk Management questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security and Risk Management questions in a focused session?
Yes — the session launcher on this page draws every question from the Security and Risk Management domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISSP topics?
Use the topic links above to move to related areas, or go back to the CISSP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISSP exam covers. They are not copied from any real exam or dump site.