00:15:00

ISC2 CISSP Practice Test

Certified Information Systems Security Professional

Use the form below to configure your ISC2 CISSP Practice Test. The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.

Logo for ISC2 CISSP
Questions
Number of questions in the practice test
Free users are limited to 20 questions, upgrade to unlimited
Seconds Per Question
Determines how long you have to finish the practice test
Exam Objectives
Which exam objectives should be included in the practice test

ISC2 CISSP Information

The (ISC)² Certified Information Systems Security Professional (CISSP) exam is one of the most widely recognized credentials in the information security field. It covers an extensive body of knowledge related to cybersecurity, including eight domains: Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. This broad scope is designed to validate a candidate’s depth and breadth of knowledge in protecting organizations from increasingly complex cyber threats.

Achieving a CISSP certification signals a strong understanding of industry best practices and the ability to design, implement, and manage a comprehensive cybersecurity program. As a result, the exam is often regarded as challenging, requiring both practical experience and intensive study of each domain’s key principles. Many cybersecurity professionals pursue the CISSP to demonstrate their expertise, enhance their credibility, and open doors to higher-level roles such as Security Manager, Security Consultant, or Chief Information Security Officer.

Free ISC2 CISSP Practice Test

Press start when you are ready, or press Change to modify any settings for the practice test.

  • Questions: 15
  • Time: Unlimited
  • Included Topics:
    Security and Risk Management
    Asset Security
    Security Architecture and Engineering
    Communication and Network Security
    Identity and Access Management (IAM)
    Security Assessment and Testing
    Security Operations
    Software Development Security
Question 1 of 15

A security team needs to evaluate potential security flaws in its newly deployed web application before making it available to customers. Which of the following approaches would be the BEST first step in identifying potential vulnerabilities?

  • You selected this option

    Conduct a full-scale penetration test with a red team

  • You selected this option

    Implement a web application firewall

  • You selected this option

    Perform automated vulnerability scanning against the application

  • You selected this option

    Review the application's access control matrix

Question 2 of 15

A company is implementing an identity integration solution to connect their internal directory services with multiple third-party SaaS applications. The security team requires that all authentication traffic between their systems and external service providers must remain within their corporate network boundary. Which approach would BEST meet this requirement?

  • You selected this option

    Implementing a credential caching system

  • You selected this option

    Deploying a cloud-based integration service

  • You selected this option

    Implementing a local identity proxy

  • You selected this option

    Configuring a token forwarding mechanism

Question 3 of 15

A data center manager is evaluating fire suppression systems for a newly constructed server room housing critical infrastructure. The primary concern is protecting expensive electronic equipment while ensuring rapid fire suppression with minimal cleanup. Which fire suppression system would be the BEST choice for this environment?

  • You selected this option

    Dry chemical system using sodium bicarbonate

  • You selected this option

    Carbon dioxide (CO2) flooding system

  • You selected this option

    Clean agent system using FM-200 or NOVEC 1230

  • You selected this option

    Traditional water sprinkler system with pre-action capability

Question 4 of 15

A large multinational corporation is implementing a secure email system that requires messages to be digitally signed. The CISO wants to ensure the system provides strong non-repudiation capabilities. Which of the following best describes how digital signatures provide non-repudiation in this scenario?

  • You selected this option

    The digital signature is created using the sender's private key, which is under their control, making it difficult to deny sending the message

  • You selected this option

    The digital signature adds a trusted timestamp to each message that is validated by multiple third parties

  • You selected this option

    The digital signature encrypts the message content so that it can be decrypted by the intended recipient

  • You selected this option

    The digital signature requires a certificate authority to validate each transaction in real-time before delivery

Question 5 of 15

Under the General Data Protection Regulation (GDPR), which of the following rights allows covered individuals to request complete removal of their personal data from an organization's systems?

  • You selected this option

    Right to data portability

  • You selected this option

    Right to access

  • You selected this option

    Right to be forgotten

  • You selected this option

    Right to information

Question 6 of 15

A healthcare organization wants to implement an access control system that can make decisions based on the patient's relationship to the healthcare provider, time of day, location of access attempt, and sensitivity of the medical records. Which access control model would BEST meet these requirements?

  • You selected this option

    Mandatory Access Control (MAC)

  • You selected this option

    Role-based Access Control (RBAC)

  • You selected this option

    Discretionary Access Control (DAC)

  • You selected this option

    Attribute-based Access Control (ABAC)

Question 7 of 15

A security architect at a large enterprise is reviewing the network traffic patterns in their newly deployed private cloud environment. They notice that most of the traffic is occurring between application servers in the same data center. Which type of traffic flow is being observed, and what security approach would be most appropriate for protecting this traffic pattern?

  • You selected this option

    East-West traffic; implement micro-segmentation between application servers

  • You selected this option

    North-South traffic; implement Network Access Control (NAC) systems

  • You selected this option

    North-South traffic; strengthen perimeter firewalls at the data center edge

  • You selected this option

    East-West traffic; deploy additional VPN concentrators

Question 8 of 15

The JIT access model allows users to access permissions only when required for specific tasks, with permissions being immediately revoked after use.

  • You selected this option

    True

  • You selected this option

    False

Question 9 of 15

An employee expresses discomfort during a safety training about the presence of unknown individuals frequently seen in the workplace. What should management prioritize as the first course of action in response to this concern?

  • You selected this option

    Review and enhance security protocols concerning unknown individuals on the premises.

  • You selected this option

    Send out a reminder for employees to report any suspicious behavior without specific guidance.

  • You selected this option

    Organize a meeting to gather employee feedback while delaying action on the issue.

  • You selected this option

    Install additional security cameras to monitor the area without addressing personnel protocols.

Question 10 of 15

A global financial institution has implemented a comprehensive disaster recovery plan and wants to validate their recovery procedures under real-world conditions before hurricane season begins. The CISO has requested a test that will provide maximum confidence in the organization's ability to recover critical systems. Which testing approach should be implemented?

  • You selected this option

    Full interruption test

  • You selected this option

    Parallel test

  • You selected this option

    Simulation test

  • You selected this option

    Tabletop exercise

Question 11 of 15

A financial services company is experiencing issues with their web application where users are complaining that they have to re-authenticate multiple times during their workflow. The security team wants to implement a solution that maintains security while improving the user experience. Which session management approach would be MOST appropriate?

  • You selected this option

    Storing user credentials in browser cookies for automatic re-authentication

  • You selected this option

    Using IP address tracking to maintain user sessions

  • You selected this option

    Implementing session tokens that are valid until the user logs out

  • You selected this option

    Implementing session tokens with longer timeout values

Question 12 of 15

What is the key purpose of assessing the disaster recovery outcomes after an incident?

  • You selected this option

    To ensure staff are trained on key systems

  • You selected this option

    To identify areas for improvement in recovery processes

  • You selected this option

    To restore systems to their original state

  • You selected this option

    To determine which systems need redundancy

Question 13 of 15

A global financial company is reviewing its data retention policies. The Chief Information Security Officer wants to ensure the organization is implementing retention periods that minimize both legal risk and storage costs. Which of the following approaches represents the BEST strategy for data retention policy development?

  • You selected this option

    Retain data for a seven-year period where necessary to simplify compliance management

  • You selected this option

    Delete data promptly after transaction completion to minimize storage and security costs

  • You selected this option

    Retain data as long as needed to ensure availability for future business intelligence and legal discovery

  • You selected this option

    Develop a data classification scheme with retention periods based on legal requirements, business needs, and industry regulations

Question 14 of 15

A security incident has occurred at your organization involving unauthorized access to sensitive customer data. As the lead security investigator, you have collected evidence from various systems and are now preparing your final investigation report. Which of the following elements is MOST important to include in your documentation?

  • You selected this option

    Screenshots of system logs without timestamps

  • You selected this option

    Recommendations for disciplinary actions against employees

  • You selected this option

    Personal opinions about who should be held responsible

  • You selected this option

    Chain of custody documentation for collected evidence

Question 15 of 15

A cybersecurity incident response team at a financial institution has discovered a compromised employee workstation. Digital evidence needs to be collected for potential legal action. What should be the FIRST step in collecting digital evidence from the compromised workstation?

  • You selected this option

    Document visible running processes and applications

  • You selected this option

    Begin examining files directly on the live system

  • You selected this option

    Create a forensic image of the storage media

  • You selected this option

    Shut down the system promptly to preserve evidence