CISSP: Certified Information Systems Security Professional Exam

425 Questions and Answers

CISSP Practice

CISSP: Certified Information Systems Security Professional Practice Exam

The Certified Information Systems Security Professional (CISSP) exam is a globally recognized credential awarded by (ISC)², designed for experienced security practitioners, managers, and executives who want to prove their knowledge across a wide array of cybersecurity practices and principles. Achieving the CISSP designation demonstrates that you have the skills, knowledge, and credibility to design, implement, and manage a best-in-class cybersecurity program.

Whether you’re pursuing a career in information security, IT audit, risk management, or compliance, passing the CISSP exam is a critical milestone. With a growing demand for certified professionals in both the public and private sectors, this certification sets you apart as a trusted expert in the industry.

What You’ll Learn with This Practice Exam

Our CISSP Practice Exam is crafted to reflect the latest exam format and real-world question styles, helping you master both the breadth and depth of the CISSP curriculum. As you work through each multiple-choice question, you’ll reinforce key concepts and strengthen your ability to think like a CISSP professional. Each question includes a detailed explanation, ensuring you not only learn the correct answer but understand the “why” behind it.

By using this practice exam, you will:

  • Familiarize yourself with the structure and difficulty level of the actual CISSP exam

  • Identify your knowledge gaps and target weak areas

  • Practice interpreting and analyzing scenario-based questions

  • Boost your confidence through repeated exposure to core CISSP topics

  • Improve time management skills to handle the 3-hour CAT exam effectively

Topics Covered

This practice exam is aligned with the (ISC)² CISSP Common Body of Knowledge (CBK) and covers all eight domains comprehensively:

  1. Security and Risk Management

  2. Asset Security

  3. Security Architecture and Engineering

  4. Communication and Network Security

  5. Identity and Access Management (IAM)

  6. Security Assessment and Testing

  7. Security Operations

  8. Software Development Security

Each domain is represented with scenario-based, high-quality questions designed to reflect the complexity and logic of the real exam.

Why Choose Exam Sage for Your CISSP Preparation?

At Exam Sage, we specialize in providing expert-designed, exam-focused practice tests that are both challenging and educational. Our CISSP practice exam is:

✅ Up-to-date with the latest exam blueprint
✅ Created by cybersecurity professionals with real-world experience
✅ Detailed in explanations, so you learn and not just memorize
✅ Mobile-friendly, allowing you to study anytime, anywhere

We understand how high the stakes are for this certification. That’s why we go beyond just providing questions — we provide a true learning experience.

Who Should Use This Practice Exam?

This product is ideal for:

  • IT professionals preparing to sit for the CISSP certification

  • Cybersecurity analysts and engineers seeking to advance their credentials

  • Information security managers aiming to validate their experience

  • Professionals in compliance, risk, and governance roles

  • Anyone committed to becoming a leader in cybersecurity

Get Started with Exam Sage Today

Join thousands of professionals who trust Exam Sage to elevate their exam readiness. Whether you’re preparing for your first attempt or need to sharpen your skills before a retake, this CISSP practice exam will help you succeed with confidence.

Sample Questions and Answers

1. Which of the following is the primary goal of confidentiality in information security?

A) Ensuring data is accurate and complete
B) Preventing unauthorized disclosure of information
C) Ensuring timely access to data
D) Protecting systems from malware

Answer: B
Explanation: Confidentiality focuses on preventing unauthorized users from accessing or disclosing sensitive information.

2. What is the purpose of a Security Information and Event Management (SIEM) system?

A) To enforce access controls
B) To perform vulnerability scans
C) To aggregate, analyze, and report on security events
D) To provide encryption for data at rest

Answer: C
Explanation: SIEM systems collect and analyze logs and events from various sources to detect suspicious activity and provide incident response capabilities.

3. Which access control model is based on data owners defining access policies?

A) Discretionary Access Control (DAC)
B) Mandatory Access Control (MAC)
C) Role-Based Access Control (RBAC)
D) Rule-Based Access Control

Answer: A
Explanation: DAC allows the data owner to determine who has access to their objects or data, often implemented via Access Control Lists (ACLs).

4. In risk management, what is the best description of ‘residual risk’?

A) Risk transferred to a third party
B) Risk that remains after controls are implemented
C) Risk accepted without any controls
D) Risk caused by system vulnerabilities

Answer: B
Explanation: Residual risk is the level of risk that remains after security controls have been applied.

5. What does the principle of least privilege enforce?

A) Granting users only the access necessary to perform their job
B) Allowing users full administrative rights
C) Sharing all information among users
D) Denying access to everyone except the system owner

Answer: A
Explanation: Least privilege restricts users to only the permissions they need, reducing potential damage from misuse or errors.

6. What is the primary purpose of a Business Continuity Plan (BCP)?

A) To identify system vulnerabilities
B) To ensure critical business functions continue during disruptions
C) To conduct security awareness training
D) To prevent unauthorized network access

Answer: B
Explanation: BCP ensures an organization can maintain or quickly resume critical operations during and after a disaster or disruption.

7. What type of malware encrypts files and demands payment for decryption keys?

A) Trojan horse
B) Rootkit
C) Ransomware
D) Worm

Answer: C
Explanation: Ransomware encrypts data and extorts money from victims in exchange for the decryption key.

8. What cryptographic principle ensures a message has not been altered during transmission?

A) Confidentiality
B) Integrity
C) Availability
D) Non-repudiation

Answer: B
Explanation: Integrity guarantees that data has not been tampered with or altered in transit.

9. What is the primary function of a firewall in network security?

A) Encrypt data
B) Prevent unauthorized access by filtering traffic
C) Detect malware infections
D) Perform user authentication

Answer: B
Explanation: Firewalls filter incoming and outgoing traffic based on predetermined security rules to block unauthorized access.

10. Which of the following best describes a Zero Trust security model?

A) Trust all internal users by default
B) No implicit trust, verify everything continuously
C) Trust external users but not internal users
D) Trust devices on the corporate network only

Answer: B
Explanation: Zero Trust assumes no user or device is trusted by default and requires continuous verification.

11. What is the primary role of a Certificate Authority (CA) in Public Key Infrastructure (PKI)?

A) To issue and manage digital certificates
B) To encrypt data transmissions
C) To store private keys securely
D) To create symmetric encryption keys

Answer: A
Explanation: A CA issues digital certificates that authenticate the identity of entities in PKI systems.

12. Which security control is considered preventive?

A) Intrusion Detection System (IDS)
B) Security Awareness Training
C) Incident Response Plan
D) Backup and Recovery

Answer: B
Explanation: Preventive controls aim to stop security incidents before they occur, such as through training and policies.

13. What is a primary characteristic of a false positive in intrusion detection?

A) Correctly identifying a threat
B) Missing a genuine attack
C) Incorrectly signaling an attack when none exists
D) Failing to log an event

Answer: C
Explanation: A false positive occurs when the system incorrectly flags benign activity as malicious.

14. Which phase of the Incident Response process involves returning systems to normal operation?

A) Identification
B) Containment
C) Eradication
D) Recovery

Answer: D
Explanation: Recovery focuses on restoring affected systems and services to normal operation after an incident.

15. What is the main benefit of multi-factor authentication (MFA)?

A) Simplifies password management
B) Provides multiple layers of identity verification
C) Eliminates the need for passwords
D) Increases user convenience

Answer: B
Explanation: MFA strengthens security by requiring two or more independent credentials (something you know, have, or are).

16. What is the difference between a vulnerability and a threat?

A) Vulnerability is a weakness; threat is a potential attack
B) Vulnerability is an attack; threat is a weakness
C) Vulnerability is the damage caused; threat is the method used
D) Vulnerability and threat mean the same

Answer: A
Explanation: A vulnerability is a weakness in a system; a threat is any potential danger that can exploit that weakness.

17. What is the primary goal of network segmentation?

A) To improve network speed
B) To isolate and contain network traffic for security purposes
C) To encrypt data in transit
D) To backup network data

Answer: B
Explanation: Network segmentation divides a network into smaller parts to control traffic flow and limit the impact of breaches.

18. Which security principle ensures that a sender cannot deny sending a message?

A) Integrity
B) Confidentiality
C) Non-repudiation
D) Availability

Answer: C
Explanation: Non-repudiation ensures proof of origin and delivery, preventing the sender from denying their actions.

19. What is the main focus of the ISO/IEC 27001 standard?

A) Software development lifecycle
B) Information security management systems (ISMS)
C) Physical security controls
D) Disaster recovery planning

Answer: B
Explanation: ISO/IEC 27001 provides requirements for establishing, implementing, maintaining, and continually improving an ISMS.

20. What is a “man-in-the-middle” attack?

A) Attacker interrupts or alters communication between two parties
B) Attacker steals user credentials via phishing
C) Attacker exploits software bugs remotely
D) Attacker uses malware to control a system

Answer: A
Explanation: Man-in-the-middle (MITM) attacks intercept and potentially alter communications between two parties without their knowledge.

21. What kind of backup strategy includes backing up only data changed since the last full backup?

A) Full backup
B) Incremental backup
C) Differential backup
D) Snapshot backup

Answer: C
Explanation: Differential backups copy all changes since the last full backup, making restore faster but requiring more storage.

22. What is the main function of the CIA triad in security?

A) Control, Identify, Authenticate
B) Confidentiality, Integrity, Availability
C) Compliance, Inspection, Authorization
D) Confidentiality, Inspection, Access

Answer: B
Explanation: The CIA triad is the core model of information security focusing on Confidentiality, Integrity, and Availability.

23. What is the purpose of a honeypot in network security?

A) To block unauthorized users
B) To gather intelligence by attracting attackers
C) To encrypt data transmissions
D) To provide firewall services

Answer: B
Explanation: Honeypots lure attackers to a decoy system to analyze attack methods and distract attackers from real assets.

24. Which of the following best describes social engineering?

A) Using malware to compromise systems
B) Manipulating people to reveal confidential information
C) Exploiting software vulnerabilities
D) Using brute-force password attacks

Answer: B
Explanation: Social engineering exploits human psychology rather than technical vulnerabilities to gain unauthorized access.

25. In penetration testing, what does “white box testing” mean?

A) Testing with no knowledge of the target system
B) Testing with full knowledge of the target system
C) Testing only network devices
D) Testing without permission

Answer: B
Explanation: White box testing involves testers having full information about the system, such as source code and architecture.

26. What is the difference between hashing and encryption?

A) Hashing is reversible; encryption is not
B) Hashing creates fixed-size digest; encryption is reversible with a key
C) Encryption produces a digest; hashing scrambles data
D) Hashing and encryption are identical

Answer: B
Explanation: Hashing produces a fixed-length digest that cannot be reversed, while encryption is reversible with the appropriate key.

27. What is the role of an Intrusion Prevention System (IPS)?

A) Detects attacks and blocks them in real-time
B) Only logs suspicious activity
C) Manages user credentials
D) Encrypts network traffic

Answer: A
Explanation: IPS actively blocks detected threats based on signatures or anomalies, unlike IDS, which only detects and alerts.

28. What does ‘defense in depth’ mean in cybersecurity?

A) Using multiple layers of security controls
B) Relying on a single strong firewall
C) Prioritizing physical security over network security
D) Using only encryption to protect data

Answer: A
Explanation: Defense in depth uses overlapping layers of security to protect information systems from multiple vectors.

29. Which of the following is a key characteristic of a Zero-Day vulnerability?

A) It has been patched by the vendor
B) It is publicly known and exploited
C) It is unknown to the vendor and unpatched
D) It is harmless

Answer: C
Explanation: Zero-Day vulnerabilities are unknown to the vendor and have no patches, making them highly dangerous.

30. What type of attack involves flooding a network or server to disrupt services?

A) Phishing
B) SQL Injection
C) Denial of Service (DoS)
D) Cross-Site Scripting (XSS)

Answer: C
Explanation: DoS attacks overwhelm resources, making services unavailable to legitimate users.

31. Which of the following best describes the purpose of the NIST Cybersecurity Framework?

A) To regulate financial institutions
B) To provide voluntary guidance for managing cybersecurity risk
C) To define software development best practices
D) To specify hardware security requirements

Answer: B
Explanation: The NIST Cybersecurity Framework offers voluntary guidance to help organizations manage and reduce cybersecurity risk.

32. In risk assessment, what does the term “threat actor” refer to?

A) The process of identifying vulnerabilities
B) A person or entity that exploits vulnerabilities
C) Security controls in place to prevent attacks
D) A type of malware

Answer: B
Explanation: Threat actors are individuals or groups who carry out attacks exploiting vulnerabilities.

33. What is the main difference between symmetric and asymmetric encryption?

A) Symmetric uses two keys; asymmetric uses one key
B) Symmetric uses one key for encryption and decryption; asymmetric uses a key pair
C) Symmetric is always slower than asymmetric
D) Symmetric provides digital signatures; asymmetric does not

Answer: B
Explanation: Symmetric encryption uses a single shared key for both encryption and decryption, while asymmetric uses a public-private key pair.

34. What type of policy defines acceptable use of an organization’s information systems?

A) Privacy Policy
B) Acceptable Use Policy (AUP)
C) Incident Response Policy
D) Access Control Policy

Answer: B
Explanation: AUP outlines how employees and users may use organizational resources responsibly and legally.

35. Which of the following is NOT typically considered a physical security control?

A) Mantraps
B) Biometric scanners
C) Firewall rules
D) Security guards

Answer: C
Explanation: Firewall rules are network security controls, not physical security controls.

36. What does the term “definitional integrity” mean in the context of information security?

A) Consistency in security policies across an organization
B) Accuracy of a definition in a cryptographic algorithm
C) Integrity of configuration files
D) Consistent implementation of security controls according to standards

Answer: D
Explanation: Definitional integrity ensures that security controls and policies are consistently applied and understood across the organization.

37. What is the primary purpose of data classification?

A) To organize files alphabetically
B) To assign security levels based on data sensitivity
C) To increase network throughput
D) To encrypt all data

Answer: B
Explanation: Data classification helps identify and assign appropriate security controls based on sensitivity and value.

38. Which of the following best describes “social engineering”?

A) Exploiting system software bugs
B) Manipulating individuals to reveal confidential info
C) Sending phishing emails only
D) Running automated brute force attacks

Answer: B
Explanation: Social engineering targets human psychology to bypass security controls.

39. In cryptography, what is the main purpose of a digital signature?

A) To encrypt the entire message
B) To verify the sender’s identity and message integrity
C) To compress a file for transmission
D) To generate random numbers

Answer: B
Explanation: Digital signatures authenticate the sender and ensure the message has not been altered.

40. What does “defense in depth” aim to accomplish?

A) Minimize the number of security controls
B) Use layered security controls to protect assets
C) Outsource all security operations
D) Use encryption exclusively

Answer: B
Explanation: Defense in depth uses multiple layers of defense to protect systems and data from various threats.

41. Which of the following is an example of an administrative control?

A) Security awareness training
B) Firewall configuration
C) Antivirus software
D) Biometrics

Answer: A
Explanation: Administrative controls include policies, procedures, training, and guidelines to manage security.

42. What is the primary goal of a vulnerability assessment?

A) To exploit system weaknesses
B) To identify and evaluate weaknesses in systems
C) To recover data after an attack
D) To conduct penetration testing

Answer: B
Explanation: Vulnerability assessments discover and prioritize system weaknesses for remediation.

43. What kind of attack exploits buffer overflow vulnerabilities?

A) Social engineering
B) Injection attack
C) Denial of Service (DoS)
D) Exploit code execution

Answer: D
Explanation: Buffer overflow attacks inject malicious code by overflowing a program’s memory buffer.

44. Which of the following is NOT a characteristic of an Advanced Persistent Threat (APT)?

A) Highly targeted
B) Long-term presence in a network
C) Opportunistic and random attacks
D) Use of sophisticated tactics

Answer: C
Explanation: APTs are targeted and persistent, not random or opportunistic.

45. What is the main function of an Intrusion Detection System (IDS)?

A) Prevent attacks by blocking traffic
B) Detect and alert on potential intrusions
C) Manage user permissions
D) Encrypt sensitive data

Answer: B
Explanation: IDS monitors traffic for suspicious activity and alerts administrators but does not block traffic.

46. What is the difference between authentication and authorization?

A) Authentication verifies identity; authorization grants access rights
B) Authorization verifies identity; authentication grants access rights
C) Both terms mean the same
D) Neither involves access control

Answer: A
Explanation: Authentication confirms who a user is; authorization determines what they can access.

47. Which of the following is an example of a technical control?

A) Security policy
B) Encryption
C) Security awareness training
D) Incident response plan

Answer: B
Explanation: Technical controls include mechanisms such as encryption, firewalls, and access control systems.

48. What is the purpose of a Security Operations Center (SOC)?

A) Develop software security standards
B) Monitor and respond to security incidents in real-time
C) Manage physical access controls
D) Conduct periodic audits

Answer: B
Explanation: SOC is a centralized unit responsible for continuous monitoring and incident response.

49. What is the primary function of a cryptographic hash function?

A) Encrypt data for confidentiality
B) Produce a fixed-size output unique to input data for integrity verification
C) Compress data for storage
D) Generate encryption keys

Answer: B
Explanation: Hash functions create a unique digest to verify data integrity but are not reversible.

50. What is a mantrap in physical security?

A) An automated fire suppression system
B) A physical security device controlling access between two secure areas
C) A type of malware
D) An encryption algorithm

Answer: B
Explanation: Mantraps are physical access controls that require verification before entry into sensitive areas.

51. Which of the following is a common security risk with Bring Your Own Device (BYOD) policies?

A) Increased encryption costs
B) Loss of centralized control over devices
C) Improved security due to device diversity
D) No additional risks

Answer: B
Explanation: BYOD policies often lead to challenges in managing and securing devices not owned by the organization.

52. What is “phishing”?

A) Using malware to infect a system
B) Sending fraudulent emails to obtain sensitive information
C) Exploiting network protocols
D) Overloading systems with traffic

Answer: B
Explanation: Phishing uses deceptive emails or messages to trick users into revealing credentials or personal info.

53. Which of the following is an example of a detective control?

A) Security cameras
B) Firewall
C) Encryption
D) Security policy

Answer: A
Explanation: Detective controls identify and detect incidents, such as CCTV or IDS.

54. What is the main purpose of a firewall?

A) To prevent unauthorized network access by filtering traffic
B) To authenticate users
C) To encrypt email messages
D) To backup data

Answer: A
Explanation: Firewalls filter incoming and outgoing network traffic to block unauthorized access.

55. Which of the following describes the concept of ‘separation of duties’?

A) Assigning multiple conflicting roles to one user
B) Dividing critical tasks among multiple users to reduce fraud risk
C) Allowing one person to manage all aspects of a process
D) Eliminating all access controls

Answer: B
Explanation: Separation of duties reduces risk by ensuring no one person has control over all parts of a critical function.

56. What type of malware disguises itself as legitimate software?

A) Worm
B) Trojan horse
C) Spyware
D) Ransomware

Answer: B
Explanation: Trojans appear as legitimate programs but perform malicious actions once executed.

57. What is the role of a Business Impact Analysis (BIA)?

A) To develop recovery procedures
B) To identify and evaluate the effects of disruptions on business functions
C) To encrypt sensitive data
D) To define user roles and responsibilities

Answer: B
Explanation: BIA assesses the potential impact of disruptions and prioritizes recovery efforts.

58. What is “tailgating” in physical security?

A) Encrypting wireless traffic
B) Following an authorized person to gain unauthorized access
C) Spoofing IP addresses
D) Using brute force attacks

Answer: B
Explanation: Tailgating involves unauthorized individuals physically following authorized personnel to access secure areas.

59. Which of the following is a common characteristic of social engineering attacks?

A) Exploiting software bugs
B) Using technology exclusively
C) Manipulating human trust and emotions
D) Only performed by insiders

Answer: C
Explanation: Social engineering targets human psychology rather than technical weaknesses.

60. Which type of cryptographic algorithm is typically used to establish a secure session key?

A) Hash function
B) Symmetric key algorithm
C) Asymmetric key algorithm
D) Digital signature

Answer: C
Explanation: Asymmetric algorithms are often used to exchange symmetric keys securely, which are then used for faster symmetric encryption.

You may also like...