00:15:00

ISC2 CISSP Practice Test

Certified Information Systems Security Professional

Use the form below to configure your ISC2 CISSP Practice Test. The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.

Logo for ISC2 CISSP
Questions
Number of questions in the practice test
Free users are limited to 20 questions, upgrade to unlimited
Seconds Per Question
Determines how long you have to finish the practice test
Exam Objectives
Which exam objectives should be included in the practice test

ISC2 CISSP Information

The (ISC)² Certified Information Systems Security Professional (CISSP) exam is one of the most widely recognized credentials in the information security field. It covers an extensive body of knowledge related to cybersecurity, including eight domains: Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. This broad scope is designed to validate a candidate’s depth and breadth of knowledge in protecting organizations from increasingly complex cyber threats.

Achieving a CISSP certification signals a strong understanding of industry best practices and the ability to design, implement, and manage a comprehensive cybersecurity program. As a result, the exam is often regarded as challenging, requiring both practical experience and intensive study of each domain’s key principles. Many cybersecurity professionals pursue the CISSP to demonstrate their expertise, enhance their credibility, and open doors to higher-level roles such as Security Manager, Security Consultant, or Chief Information Security Officer.

Free ISC2 CISSP Practice Test

Press start when you are ready, or press Change to modify any settings for the practice test.

  • Questions: 15
  • Time: Unlimited
  • Included Topics:
    Security and Risk Management
    Asset Security
    Security Architecture and Engineering
    Communication and Network Security
    Identity and Access Management (IAM)
    Security Assessment and Testing
    Security Operations
    Software Development Security
Question 1 of 15

In a Discretionary Access Control (DAC) environment, a file owner can delegate access permissions to other users but cannot restrict access once it has been shared.

  • You selected this option

    True

  • You selected this option

    False

Question 2 of 15

A global financial institution is implementing a new security model where access to sensitive financial data is determined by user clearance levels that are assigned by the security team. Users cannot share or transfer access rights to other users. Which access control model BEST describes this implementation?

  • You selected this option

    Role-Based Access Control (RBAC)

  • You selected this option

    Discretionary Access Control (DAC)

  • You selected this option

    Attribute-Based Access Control (ABAC)

  • You selected this option

    Mandatory Access Control (MAC)

Question 3 of 15

Which of the following is the BEST approach for evaluating the security of third-party application components?

  • You selected this option

    Reviewing the vendor's claims about security features during contract negotiations

  • You selected this option

    Using only open-source components with public code repositories

  • You selected this option

    Requesting the vendor's security certification documentation

  • You selected this option

    Conducting a software composition analysis and vulnerability scan

Question 4 of 15

An individual having the same role indefinitely increases the risk of misconduct or security breaches.

  • You selected this option

    False

  • You selected this option

    True

Question 5 of 15

A security team at a financial institution is investigating unusual energy consumption patterns on their HSM that handles cryptographic operations. During a security assessment, they notice that electrical usage fluctuates based on different cryptographic operations being performed. What type of side-channel attack is this hardware potentially vulnerable to?

  • You selected this option

    Timing Attack

  • You selected this option

    Power Analysis

  • You selected this option

    Electromagnetic Analysis

  • You selected this option

    Fault Injection

Question 6 of 15

What is the PRIMARY purpose of implementing separate development, testing, and production environments?

  • You selected this option

    To reduce the ability of developers to use sensitive data in development environments

  • You selected this option

    To enable different access control policies for different user groups

  • You selected this option

    To enforce separation of duties among development teams

  • You selected this option

    To prevent untested code and configuration changes from affecting production systems

Question 7 of 15

A security manager wants to enhance an organization's security posture by conducting simulated attacks on their systems while simultaneously monitoring defensive capabilities in real-time. Which of the following approaches would BEST serve this requirement?

  • You selected this option

    Compliance check

  • You selected this option

    Red team exercise

  • You selected this option

    Purple team exercise

  • You selected this option

    Blue team exercise

Question 8 of 15

A hospital is planning to deploy networked infusion pumps that automatically administer medication to patients based on programmed parameters. As the CISO, which security measure would be MOST appropriate to mitigate the risks associated with these embedded systems?

  • You selected this option

    Daily vulnerability scanning of devices

  • You selected this option

    Implementing code signing for firmware updates

  • You selected this option

    Physical isolation from network systems

  • You selected this option

    Requiring strong passwords changed monthly

Question 9 of 15

During a security assessment strategy meeting, a security analyst suggests implementing a specific testing approach that focuses on unexpected system interactions and negative scenarios. Which testing methodology is being described?

  • You selected this option

    Purple team exercises

  • You selected this option

    Coverage analysis

  • You selected this option

    Synthetic transaction analysis

  • You selected this option

    Misuse case testing

Question 10 of 15

Which of the following BEST describes the concept of "supply chain security" in software development?

  • You selected this option

    Protecting the integrity and security of all components and processes involved in creating software

  • You selected this option

    Managing inventory levels of software licenses

  • You selected this option

    Ensuring the physical security of hardware devices during shipping

  • You selected this option

    Optimizing delivery schedules for software patches

Question 11 of 15

A government agency is decommissioning laptops that previously contained sensitive information. The security team needs to ensure that no data can be recovered from these devices. The laptops use SSDs that contained classified information. Which method would BEST address data remanence concerns for these devices?

  • You selected this option

    Overwriting the SSDs with random data

  • You selected this option

    Standard formatting of the SSDs

  • You selected this option

    Physical destruction of the SSDs

  • You selected this option

    Degaussing the SSDs

Question 12 of 15

A healthcare organization is designing a new data center facility that will house critical patient information systems. Which of the following design considerations would BEST address both environmental threats and unauthorized physical access concerns?

  • You selected this option

    Build the data center on the top floor with large windows to reduce humidity

  • You selected this option

    Use glass walls throughout the data center to maintain visibility of all equipment

  • You selected this option

    Place the facility in a high-traffic area for easier maintenance access

  • You selected this option

    Design the facility away from flood plains and with proper access control systems

Question 13 of 15

What method is often employed to rigorously assess the effectiveness of recovery strategies in a disaster recovery plan?

  • You selected this option

    Evaluate distinct aspects of the recovery plan separately without integration.

  • You selected this option

    Review the recovery procedures in a controlled environment without disruption.

  • You selected this option

    Engage in a practical scenario that alters normal operations to assess recovery capabilities.

  • You selected this option

    Lead a discussion among team members regarding recovery processes and actions.

Question 14 of 15

A financial application encounters an unexpected error during transaction processing. Which secure design principle should be applied to ensure the system does not default to an insecure state?

  • You selected this option

    Secure defaults

  • You selected this option

    Least privilege

  • You selected this option

    Fail securely

  • You selected this option

    Defense in depth

Question 15 of 15

An organization implements a system where access to sensitive information is regulated based on user roles assigned in a dynamic manner, taking into account multiple contextual factors such as location and time. This approach is an example of a comprehensive access control policy.

  • You selected this option

    True

  • You selected this option

    False