ISC2 CISSP Practice Test
Certified Information Systems Security Professional
Use the form below to configure your ISC2 CISSP Practice Test. The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.

ISC2 CISSP Information
The (ISC)² Certified Information Systems Security Professional (CISSP) exam is one of the most widely recognized credentials in the information security field. It covers an extensive body of knowledge related to cybersecurity, including eight domains: Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. This broad scope is designed to validate a candidate’s depth and breadth of knowledge in protecting organizations from increasingly complex cyber threats.
Achieving a CISSP certification signals a strong understanding of industry best practices and the ability to design, implement, and manage a comprehensive cybersecurity program. As a result, the exam is often regarded as challenging, requiring both practical experience and intensive study of each domain’s key principles. Many cybersecurity professionals pursue the CISSP to demonstrate their expertise, enhance their credibility, and open doors to higher-level roles such as Security Manager, Security Consultant, or Chief Information Security Officer.
Scroll down to see your responses and detailed results
Free ISC2 CISSP Practice Test
Press start when you are ready, or press Change to modify any settings for the practice test.
- Questions: 15
- Time: Unlimited
- Included Topics:Security and Risk ManagementAsset SecuritySecurity Architecture and EngineeringCommunication and Network SecurityIdentity and Access Management (IAM)Security Assessment and TestingSecurity OperationsSoftware Development Security
In a Discretionary Access Control (DAC) environment, a file owner can delegate access permissions to other users but cannot restrict access once it has been shared.
- You selected this option
True
- You selected this option
False
Answer Description
This statement is false because, in a DAC environment, the file owner retains the ability to both delegate and revoke access permissions to their resources. DAC grants users the flexibility to control who can access their files and to modify those permissions as needed. This contrasts with models like Mandatory Access Control (MAC), where access is dictated by external policies and cannot be altered by individual users.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does DAC stand for in access control?
How does DAC differ from Mandatory Access Control (MAC)?
Can users with delegated permissions in a DAC environment further share access?
A global financial institution is implementing a new security model where access to sensitive financial data is determined by user clearance levels that are assigned by the security team. Users cannot share or transfer access rights to other users. Which access control model BEST describes this implementation?
- You selected this option
Role-Based Access Control (RBAC)
- You selected this option
Discretionary Access Control (DAC)
- You selected this option
Attribute-Based Access Control (ABAC)
- You selected this option
Mandatory Access Control (MAC)
Answer Description
The correct answer is Mandatory Access Control (MAC). This model is characterized by centrally controlled access rights based on clearance levels, where the system or security administrators determine the access levels rather than the data owners. In MAC, users cannot share or transfer their access rights to others, as access is strictly governed by security labels and clearance levels.
Discretionary Access Control (DAC) is incorrect because in DAC, the data owner determines who can access the resources and can delegate those permissions to others.
Role-Based Access Control (RBAC) is incorrect because while it does involve assigning permissions to roles rather than individual users, it doesn't inherently involve clearance levels and doesn't prevent delegation if the implementation allows it.
Attribute-Based Access Control (ABAC) is incorrect because it makes access decisions based on attributes of users, resources, and environmental conditions rather than clearance levels alone.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are clearance levels in Mandatory Access Control (MAC)?
How does Mandatory Access Control (MAC) differ from Discretionary Access Control (DAC)?
What are the advantages of using Mandatory Access Control (MAC)?
Which of the following is the BEST approach for evaluating the security of third-party application components?
- You selected this option
Reviewing the vendor's claims about security features during contract negotiations
- You selected this option
Using only open-source components with public code repositories
- You selected this option
Requesting the vendor's security certification documentation
- You selected this option
Conducting a software composition analysis and vulnerability scan
Answer Description
The correct answer is conducting a software composition analysis and vulnerability scan. This approach provides objective, verifiable information about the components' security by identifying known vulnerabilities in the specific versions being used. It gives organizations direct visibility into security issues rather than relying solely on vendor claims or documentation.
Requesting the vendor's security certification documentation is useful but insufficient on its own. Certifications may be outdated, have limited scope, or not address specific vulnerabilities in the components you're using.
Reviewing the vendor's claims about security features during contract negotiation may discourage overstatement of security capabilities. However, it does not evaluate or compensate for vulnerabilities in their products.
Using only open-source components with public code repositories has some advantages for transparency but doesn't guarantee security. Open-source software can still contain vulnerabilities, and not all proprietary software is inherently less secure than open-source alternatives. The key is proper evaluation regardless of the source.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is software composition analysis?
What is a vulnerability scan?
Why are vendor claims about security features inadequate?
An individual having the same role indefinitely increases the risk of misconduct or security breaches.
- You selected this option
False
- You selected this option
True
Answer Description
The statement is true because job rotation helps mitigate risks associated with continuous access to sensitive information or processes by distributing responsibilities among different personnel. By rotating jobs, organizations can reduce the opportunities for individuals to engage in unethical behavior or make mistakes without oversight. The incorrect options do not accurately reflect the security benefits of implementing job rotation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is job rotation and how does it work?
What are the benefits of job rotation in terms of security?
What are some potential downsides to job rotation?
A security team at a financial institution is investigating unusual energy consumption patterns on their HSM that handles cryptographic operations. During a security assessment, they notice that electrical usage fluctuates based on different cryptographic operations being performed. What type of side-channel attack is this hardware potentially vulnerable to?
- You selected this option
Timing Attack
- You selected this option
Power Analysis
- You selected this option
Electromagnetic Analysis
- You selected this option
Fault Injection
Answer Description
The correct answer is Power Analysis. Power analysis is a specific type of side-channel attack that monitors the power consumption of a device during cryptographic operations. By analyzing the variations in power consumption patterns, attackers can potentially extract sensitive information such as cryptographic keys.
Differential Power Analysis (DPA) and Simple Power Analysis (SPA) are common techniques where attackers measure power consumption during cryptographic operations to deduce secret information. The observed correlation between electrical usage and operations being performed is a classic indicator of vulnerability to power analysis attacks.
Fault injection involves deliberately introducing errors into a Hardware Security Module (HSM) to cause it to behave incorrectly and potentially reveal cryptographic secrets, but does not focus on monitoring energy consumption. Timing attacks exploit the time taken to perform cryptographic operations rather than power consumption. Electromagnetic analysis focuses on radiation emissions rather than direct power consumption patterns.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Differential Power Analysis (DPA) and Simple Power Analysis (SPA)?
What countermeasures can be implemented to protect against power analysis attacks?
What other types of side-channel attacks exist, and how do they differ from power analysis?
What is the PRIMARY purpose of implementing separate development, testing, and production environments?
- You selected this option
To reduce the ability of developers to use sensitive data in development environments
- You selected this option
To enable different access control policies for different user groups
- You selected this option
To enforce separation of duties among development teams
- You selected this option
To prevent untested code and configuration changes from affecting production systems
Answer Description
The correct answer is to prevent untested code and configuration changes from affecting production systems. Separate environments allow changes to be developed and tested in isolation before being deployed to production, reducing the risk of service disruptions and security issues in systems serving real users.
Reducing the ability of developers to use sensitive data in development environments can be a benefit of separating environments. However, good security practices would make it difficult for developers to access and retrieve sensitive data regardless of the environment, as they should develop using artificial data sets.
**Enforcing separation of duties among development teams may be a secondary benefit **but is not the primary purpose of environment separation. Separation of duties can be implemented through access controls and organizational structure even within a single environment.
Enabling different access control policies for different user groups can be accomplished without completely separate environments. While access controls are important, the main purpose of environment separation is to isolate changes and provide a progression for testing and validation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it important to test code before deploying it to production?
What are some common practices used in a testing environment?
How can separate environments enhance security measures?
A security manager wants to enhance an organization's security posture by conducting simulated attacks on their systems while simultaneously monitoring defensive capabilities in real-time. Which of the following approaches would BEST serve this requirement?
- You selected this option
Compliance check
- You selected this option
Red team exercise
- You selected this option
Purple team exercise
- You selected this option
Blue team exercise
Answer Description
A purple team exercise is the BEST answer because it combines both offensive (red team) and defensive (blue team) capabilities in a collaborative effort. Purple team exercises involve red team members conducting attacks while blue team members actively defend and respond, with both teams sharing information and insights throughout the exercise. This approach allows for real-time feedback, immediate learning opportunities, and provides the most comprehensive view of both attack and defense capabilities simultaneously.
Red team exercises focus primarily on simulating attacks without actively involving the defensive team in a collaborative way. Blue team exercises focus on defense without incorporating active, realistic attack simulations. Compliance checks are formal reviews to ensure systems meet regulatory or policy requirements but don't involve simulated attacks or defensive responses in real-time.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are red team and blue team exercises?
What is the purpose of a purple team exercise?
How do compliance checks differ from security exercises?
A hospital is planning to deploy networked infusion pumps that automatically administer medication to patients based on programmed parameters. As the CISO, which security measure would be MOST appropriate to mitigate the risks associated with these embedded systems?
- You selected this option
Daily vulnerability scanning of devices
- You selected this option
Implementing code signing for firmware updates
- You selected this option
Physical isolation from network systems
- You selected this option
Requiring strong passwords changed monthly
Answer Description
Code signing is the most appropriate security measure for embedded medical devices like infusion pumps because it ensures that only authorized firmware and software updates can be installed on the devices. This prevents malicious code execution and unauthorized modifications to the device functionality.
The other options are inadequate or inappropriate for securing embedded medical devices:
- Strong passwords alone would not prevent firmware tampering or unauthorized code execution
- Physical isolation is impractical for networked medical devices that need to communicate with hospital systems
- Daily vulnerability scanning could potentially disrupt the operation of these critical medical devices and many embedded systems lack the computing resources to support continuous scanning
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is code signing and how does it work?
What are the risks associated with embedded medical devices like infusion pumps?
Why is physical isolation impractical for networked medical devices?
During a security assessment strategy meeting, a security analyst suggests implementing a specific testing approach that focuses on unexpected system interactions and negative scenarios. Which testing methodology is being described?
- You selected this option
Purple team exercises
- You selected this option
Coverage analysis
- You selected this option
Synthetic transaction analysis
- You selected this option
Misuse case testing
Answer Description
Misuse case testing is a methodology that examines how systems can be intentionally or unintentionally abused by exploring negative scenarios and unexpected interactions. This approach differs from traditional use cases by specifically focusing on potential exploit vectors and problematic usage patterns rather than legitimate functionality. Security professionals leverage misuse case testing to identify vulnerabilities that might remain hidden during conventional testing approaches by adopting an adversarial mindset. This methodology helps organizations strengthen their security posture by uncovering potential attack vectors before they can be exploited by malicious actors.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are misuse cases in software testing?
How do misuse case testing and traditional testing differ?
Why is adopting an adversarial mindset important in security assessments?
Which of the following BEST describes the concept of "supply chain security" in software development?
- You selected this option
Protecting the integrity and security of all components and processes involved in creating software
- You selected this option
Managing inventory levels of software licenses
- You selected this option
Ensuring the physical security of hardware devices during shipping
- You selected this option
Optimizing delivery schedules for software patches
Answer Description
The correct answer is protecting the integrity and security of all components and processes involved in creating software. Supply chain security in software development encompasses securing all aspects of the software creation process, from third-party components and development tools to build systems and distribution mechanisms, ensuring that malicious code isn't introduced at any stage.
Ensuring the physical security of hardware devices during shipping addresses only a narrow aspect of hardware supply chain security. While important for hardware, it doesn't address the broader software supply chain concerns.
**Managing inventory levels of development equipment **is an availability concern, but it is rarely a security function related to software development. Inventory management may be part of asset management but doesn't directly relate to securing the software supply chain.
**Optimizing delivery schedules for software patches ** can assist security in scheduling operational impact. However, release timing doesn't directly affect the security of the software being developed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the components of software supply chain security?
How can third-party libraries affect supply chain security?
What steps can organizations take to enhance software supply chain security?
A government agency is decommissioning laptops that previously contained sensitive information. The security team needs to ensure that no data can be recovered from these devices. The laptops use SSDs that contained classified information. Which method would BEST address data remanence concerns for these devices?
- You selected this option
Overwriting the SSDs with random data
- You selected this option
Standard formatting of the SSDs
- You selected this option
Physical destruction of the SSDs
- You selected this option
Degaussing the SSDs
Answer Description
Physical destruction is the BEST method for addressing data remanence concerns with Solid State Drives (SSDs) that contained classified information. Unlike traditional hard drives, SSDs store data in flash memory cells that can retain data fragments even after logical deletion operations.
Overwriting (secure wiping) is less effective on SSDs due to wear-leveling algorithms that redistribute write operations across the drive, potentially leaving some cells with original data untouched. Standard formatting simply removes the file system index without removing the actual data. Degaussing is effective for magnetic media (like traditional hard drives) but does not reliably clear data from SSDs which use electronic storage rather than magnetic storage.
Physical destruction (shredding, disintegration, pulverization, or incineration) ensures that no data can be recovered from the storage media, making it the most appropriate choice for addressing data remanence on devices that contained classified information.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the implications of data remanence on SSDs?
Why is standard formatting ineffective for SSDs in terms of data security?
What are the common methods of physical destruction for SSDs?
A healthcare organization is designing a new data center facility that will house critical patient information systems. Which of the following design considerations would BEST address both environmental threats and unauthorized physical access concerns?
- You selected this option
Build the data center on the top floor with large windows to reduce humidity
- You selected this option
Use glass walls throughout the data center to maintain visibility of all equipment
- You selected this option
Place the facility in a high-traffic area for easier maintenance access
- You selected this option
Design the facility away from flood plains and with proper access control systems
Answer Description
The correct answer involves designing the facility away from flood plains while implementing proper access control systems. This approach simultaneously addresses environmental threats (avoiding flood-prone areas) and physical security concerns (restricting unauthorized access). A layered approach to data center security must account for both natural hazards and human threats. The other options fail to provide comprehensive protection: glass walls compromise security despite visibility benefits, high-traffic locations increase rather than decrease security risks, and top-floor locations with large windows create vulnerabilities to both environmental threats and physical security breaches.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are some common environmental threats to data centers?
What are access control systems, and why are they important?
What factors should be considered when designing the physical layout of a data center?
What method is often employed to rigorously assess the effectiveness of recovery strategies in a disaster recovery plan?
- You selected this option
Evaluate distinct aspects of the recovery plan separately without integration.
- You selected this option
Review the recovery procedures in a controlled environment without disruption.
- You selected this option
Engage in a practical scenario that alters normal operations to assess recovery capabilities.
- You selected this option
Lead a discussion among team members regarding recovery processes and actions.
Answer Description
The selected method typically requires engaging in a scenario that alters normal operations, allowing teams to identify weaknesses and refine processes in real-time. Other options represent less direct forms of evaluation that do not provide the same level of insight into recovery effectiveness.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a disaster recovery plan?
What are the types of disaster recovery strategies?
What does 'engaging in a practical scenario' entail in disaster recovery testing?
A financial application encounters an unexpected error during transaction processing. Which secure design principle should be applied to ensure the system does not default to an insecure state?
- You selected this option
Secure defaults
- You selected this option
Least privilege
- You selected this option
Fail securely
- You selected this option
Defense in depth
Answer Description
'Fail securely' is the correct secure design principle to apply in this scenario. When a system encounters an error or failure condition, it should default to a secure state rather than an insecure one. In practice, this means that when the financial application encounters an unexpected error, it should reject transactions by default rather than accidentally approving them, maintain access restrictions rather than opening them, and preserve security controls even during failure modes.
Other options are incorrect because:
- Secure defaults refers to systems being deployed with secure initial configurations.
- Defense in depth involves implementing multiple security controls in layers.
- Least privilege concerns limiting user access rights to only what's necessary for their job function.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'fail securely' mean in the context of cybersecurity?
How does 'secure defaults' differ from 'fail securely'?
Can you explain 'defense in depth' and how it relates to secure design principles?
An organization implements a system where access to sensitive information is regulated based on user roles assigned in a dynamic manner, taking into account multiple contextual factors such as location and time. This approach is an example of a comprehensive access control policy.
- You selected this option
True
- You selected this option
False
Answer Description
This statement is true, as it describes a context-aware access control policy that employs role-based access control (RBAC) principles while factoring in dynamic elements. By using contextual factors, organizations can enhance security and ensure that access is not only role-based but also relevant to the situation, thereby mitigating risks associated with unauthorized access or misuse. In contrast, a static role assignment would not provide the same level of flexibility or security in varying circumstances.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is context-aware access control policy?
What are the principles of role-based access control (RBAC)?
What are the risks associated with static role assignments?
Cool beans!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.