ISC CISSP Certified Information Systems Security Professional Exam Dumps and Practice Test Questions Set 1 Q1-20

Visit here for our full ISC CISSP exam dumps and practice test questions.

1. Question:

During a business impact analysis (BIA), the security team identifies that the exposure of confidential customer data would have severe reputational damage and possible regulatory fines. Which of the following is the best next step under the domain of Risk Management and Governance?

A) Immediately purchase cyber-insurance to transfer the risk
B) Classify the data asset, identify the threat sources and vulnerabilities, and quantify the risk before deciding on treatment
C) Shut down all systems that handle the data until the risk is resolved
D) Assume the risk and accept it because the cost of mitigation is too high

Answer: B) Classify the data asset, identify the threat sources and vulnerabilities, and quantify the risk before deciding treatment.

Explanation:

When assessing and managing information security risks, the correct approach is option B: classify the data asset, identify the threat sources and vulnerabilities, and quantify the risk before deciding on treatment. This process is fundamental to effective risk management and aligns with the Security and Risk Management domain of the CISSP Common Body of Knowledge. Risk assessment is a structured and systematic process that ensures organizations make informed decisions regarding security measures and risk treatment, rather than reacting impulsively or taking actions without a clear understanding of the risk landscape.

The first step in risk assessment is classifying the data asset. Classification involves determining the sensitivity, importance, and criticality of the information or system. Not all assets carry the same level of risk, so understanding the value and role of each asset is essential for prioritization. For example, financial records or personally identifiable information are typically high-value assets, whereas publicly available information may carry minimal risk. By classifying assets, an organization can focus resources and attention on protecting the most critical components of its operations.

After classifying the asset, the next step is identifying potential threat sources and vulnerabilities. Threat sources can include internal actors, such as employees with malicious intent, or external actors, such as hackers or cybercriminals. Vulnerabilities are weaknesses in systems, processes, or policies that could be exploited by these threats. Understanding both the threats and vulnerabilities allows an organization to form a clear picture of the potential risks. This stage ensures that security measures are targeted and effective, rather than broad or unfocused.

Once the threats and vulnerabilities are identified, the organization must quantify the risk. Risk quantification typically involves assessing the likelihood of a threat exploiting a vulnerability and the potential impact if it occurs. This can be expressed in qualitative terms, such as high, medium, or low risk, or quantitatively, using numerical values for likelihood and impact. The purpose of risk quantification is to provide an objective basis for deciding on appropriate risk treatment strategies. Without this step, decisions are likely to be based on assumptions or incomplete information, which may result in either under-protection or excessive investment in security controls.

Only after risk has been properly assessed and quantified should an organization decide on the appropriate risk treatment. Common options include mitigating the risk through controls and safeguards, transferring the risk through insurance or outsourcing, accepting the risk if it falls within the organization’s risk tolerance, or avoiding the risk entirely by discontinuing a risky activity. Choosing a treatment without performing classification, threat and vulnerability identification, and risk quantification, as in options A or C, is premature and can lead to suboptimal decisions. Immediately purchasing cyber-insurance, for example, transfers risk but does not reduce the likelihood or impact of an event and does not provide insight into other potential controls. Shutting down systems completely may prevent risk exposure temporarily, but it is often impractical and can severely disrupt business operations. Assuming the risk without assessment, as suggested in option D, may be acceptable in some cases, but should only occur after careful quantification and business evaluation.

Option B represents a structured and methodical approach to risk management. It ensures that security decisions are grounded in a thorough understanding of the asset, the threats it faces, and the potential consequences of those threats being realized. This approach balances security objectives with business needs, ensuring that resources are applied effectively and that risk treatment aligns with organizational priorities. It also provides documentation and justification for decisions, which is valuable for audits, compliance, and ongoing risk monitoring.

In conclusion, proper risk assessment is the foundation of effective risk management. By classifying assets, identifying threats and vulnerabilities, and quantifying risk, an organization can make informed decisions about risk treatment. Options that jump directly to treatment without assessment or that take drastic measures without context are not consistent with best practices. Option B is the correct approach because it follows a logical sequence that maximizes understanding, prioritization, and effectiveness in addressing security risks, while also supporting business objectives and operational continuity.

 

2. Question:

An organisation is implementing data classification as required by Domain 2 (Asset Security). Which of the following statements best reflects the principle of “data ownership”?

A) IT operations owns all data and is responsible for its classification and the enforcement of controls
B) The business unit that generates or uses the data owns that data and is responsible for its value, classification, and lifecycle
C) The external vendor owns the data since they host it in their cloud environment
D) The chief information security officer (CISO) owns the data and is solely accountable

Answer: B) The business unit that generates or uses the data owns that data and is responsible for its value, classification, and lifecycle.

Explanation:

In Domain 2 (Asset Security), one key concept is that assets (including information) must have clearly identified owners who understand the value, classification, and lifecycle (including retention, disposal) of the data. IT Governance+1 The business unit typically owns the data because they understand the business context and the value/impact of that information. IT may support,buttt is not the owner (so A is incorrect). The external vendor (C) may be a processor but typically not the owner. The CISO (D) has oversight but not operational ownership of each data asset.

3. Question:

Which of the following best describes the purpose of the Bell-LaPadula security model in the context of Domain 3 (Security Architecture & Engineering)?

A) Ensuring that no information flows from a lower classification level to a higher classification level (write-up)
B) Ensuring that no information flows from a higher classification level to a lower classification level (no write down)
C) Enforcing the separation of duties among database administrators
D) Handling identity and access management for cloud resources

Answer: B) Ensuring that no information flows from a higher classification level to a lower classification level (no write down).

Explanation:

The Bell-LaPadula model is a confidentiality‐oriented access control model used in Domain 3 (Security Architecture & Engineering) to prevent sensitive information from flowing downwards (i.e., from a higher classification level to a lower one). The two primary rules: the “simple security property” (no read up) and the “star property” (no write down). Here, the “no write down” is key: it prevents someone at a higher level from writing to a lower level, which would leak information. Option A is reversed (that would be “no write-up,” which is not correct). C is about segregation of duties (a governance concept). D is IAM, but not about the Bell-LaPadula model.

4. Question:

In Domain 4 (Communication & Network Security), a network architect wants to design a secure perimeter network for services that must be accessible from the internet, while internal systems remain protected. Which of the following design elements is least appropriate?

A) Placing the publicly accessible servers in a separate DMZ (demilitarized zone) network segment
B) Using a firewall to control traffic between the Internet, the DMZ, and the internal network
C) Allowing direct inbound connections from the DMZ to internal servers without additional filtering
D) Logging and monitoring access between the DMZ and the internal network

Answer: C) Allowing direct inbound connections from the DMZ to internal servers without additional filtering.

Explanation:

In secure network design, a key principle is the proper separation and protection of internal networks from external threats. When designing a network, it is common to create a demilitarized zone, or DMZ, to host public-facing services such as web servers, email servers, or FTP servers. The purpose of the DMZ is to isolate these externally accessible services from the internal network, reducing the risk that a compromise of public-facing systems could directly affect sensitive internal resources. In this context, the correct answer to the question is option C: allowing direct inbound connections from the DMZ to internal servers without additional filtering. This practice is highly discouraged because it undermines fundamental network security principles and increases the organization’s exposure to potential attacks.

Option A, placing publicly accessible servers in a separate DMZ network segment, represents a standard best practice in network design. By isolating servers that must communicate with the internet, the organization reduces the likelihood that an attacker who compromises a public-facing system can gain access to internal resources. Segmentation allows for additional layers of control, making it easier to enforce security policies and limit lateral movement. It also aligns with the concept of defense in depth, where multiple layers of security controls are deployed to protect critical assets.

Option B, using a firewall to control traffic between the internet, the DMZ, and the internal network, is another essential practice. Firewalls serve as gatekeepers, enforcing rules that determine which traffic is allowed to enter or leave a network segment. By controlling traffic between the internet, DMZ, and internal network, firewalls help prevent unauthorized access and provide a point for logging and monitoring activity. Firewalls also allow organizations to define more granular policies, such as restricting inbound traffic to specific services or allowing outbound connections only to approved destinations.

Option D, logging and monitoring access between the DMZ and the internal network, complements segmentation and firewall controls. Monitoring and logging help detect suspicious or anomalous behavior, providing visibility into potential security incidents. By analyzing logs and alerts, security teams can identify and respond to threats before they escalate, supporting proactive incident response and risk management. Logging also supports auditing and compliance efforts, demonstrating that security controls are being enforced.

In contrast, option C, allowing direct inbound connections from the DMZ to internal servers without additional filtering, violates these security principles. This approach exposes the internal network to unnecessary risk because it bypasses key security layers, such as firewalls, intrusion detection systems, and access controls. Any compromise of a DMZ host could immediately impact internal systems, potentially leading to data breaches, service disruptions, or unauthorized access to sensitive information. It also ignores the principle of least privilege and undermines defense in depth, which is designed to ensure that no single security control is the sole line of defense. By allowing unrestricted access from a less-trusted zone to a highly trusted zone, this design choice creates a significant vulnerability that could be exploited by attackers or malware.

The rationale for avoiding direct connections from the DMZ to internal servers extends beyond theoretical security. In practical terms, organizations often deploy DMZs to host web applications that must be accessed by external users. If these DMZ servers are compromised and can freely communicate with internal systems, attackers can move laterally into the internal network, bypassing detection or other security controls. This scenario has been the root cause of numerous real-world breaches, highlighting the importance of careful segmentation, filtering, and monitoring.

In conclusion, proper network design requires separating public-facing servers from internal networks, controlling traffic with firewalls, and monitoring access to detect and respond to potential threats. Options A, B, and D reflect these best practices and strengthen the organization’s security posture. Option C, allowing direct inbound connections from the DMZ to internal systems without filtering, is the least appropriate choice. It exposes internal assets to undue risk, violates key principles of secure network architecture, and represents a weak design decision. Adhering to best practices in segmentation, traffic control, and monitoring ensures that the internal network remains protected even if DMZ systems are compromised, providing multiple layers of defense against potential attacks.

5. Question:

Under Domain 5 (Identity & Access Management – IAM) of the CISSP CBK, which of the following is an example of “separation of duties” (SoD) implemented in logical access control?

A) A system administrator also acts as a security auditor, closing audit logs
B) A database developer can independently deploy changes to production without review
C) An employee who can both create purchase orders and approve them
D) A user who enters financial transactions cannot also reconcile accounts

Answer: D) A user who enters financial transactions cannot also reconcile accounts.

Explanation:

Separation (or segregation) of duties is a control principle that ensures no single individual has end‐to‐end control of a critical process, to reduce fraud/error risk. In IAM (Domain 5), it means assigning different roles so that conflicting responsibilities are separated. Option D is a classic example: one person enters transactions, another reconciles them. The other options (A, B, C) each show conflicting duties being combined (which is undesirable). So the correct answer is D.

6. Question:

In Domain 6 (Security Assessment & Testing), an organisation wants to test the efficacy of its incident response plan. Which of the following activities is most appropriate?

A) Conducting a full smoke test of the fire suppression system in the data centre
B) Running a live phishing campaign targeting the executive group without notice
C) Performing a tabletop exercise involving key stakeholders walking through incident scenarios
D) Having the security team watch recorded videos of past breaches

Answer: C) Performing a tabletop exercise involving key stakeholders walking through incident scenarios.

Explanation:

Security assessment and testing, as described in Domain 6 of the CISSP Common Body of Knowledge, is a critical activity for evaluating the effectiveness of an organization’s security controls, processes, and personnel. The goal is to determine how well security measures work in practice, identify weaknesses, and validate that policies and procedures are aligned with organizational objectives. Among the various assessment methods, a tabletop exercise is considered an effective approach for testing incident response plans and organizational readiness. In this scenario, option C, conducting a tabletop exercise, is the most appropriate method.

A tabletop exercise is a discussion-based simulation in which key stakeholders, such as IT staff, security teams, management, and other relevant personnel, gather to walk through a hypothetical security incident. This method allows participants to discuss their roles, responsibilities, and responses in a controlled, low-risk environment. It is cost-effective because it does not require physical deployment of systems or large-scale operational disruptions. More importantly, it provides an opportunity for team members to practice decision-making, communication, and coordination, which are all critical aspects of incident response.

One of the main advantages of a tabletop exercise is that it engages multiple stakeholders across different departments. By involving both technical and non-technical staff, the exercise helps ensure that the incident response plan is not only technically sound but also practical and executable from an organizational perspective. This interaction can highlight gaps in responsibilities, unclear communication channels, or incomplete procedures. After the exercise, the organization can review lessons learned, update documentation, and improve training, making future real-world incident responses more effective.

Option A, which may involve more operations- or environmental-focused control testing, is useful for evaluating physical security or technical control effectiveness but is not specifically designed to test incident response plans. While such tests are important for overall security posture, they do not provide the structured discussion or scenario-based analysis that a tabletop exercise offers. Therefore, option A is less suitable when the objective is to evaluate readiness for incidents.

Option B, which may involve sending simulated phishing emails or other social engineering tests, can be effective for testing specific human vulnerabilities. However, these tests require careful ethical and legal consideration, including informed consent from employees or participants. They are also higher risk, as they can cause unintended consequences if not properly managed. Furthermore, phishing tests in isolation do not provide the comprehensive review of incident response procedures that a tabletop exercise offers. They assess only a single aspect of readiness rather than the organization’s overall ability to respond to an incident.

Option D, which represents passive observation, such as monitoring logs or reviewing documentation without active engagement, provides limited insight into readiness. While passive testing can help identify compliance issues or missing procedures, it does not actively evaluate how personnel respond under pressure, nor does it test the coordination of multiple teams. Passive methods alone cannot reveal practical weaknesses in incident handling or decision-making, which are critical in real-world security events.

In conclusion, security assessment and testing are designed to validate that an organization’s controls and procedures are effective and that personnel are prepared to handle incidents. Tabletop exercises offer a structured, cost-effective, and interactive approach that allows stakeholders to simulate incidents, practice responses, and identify weaknesses in a safe environment. They provide both technical and organizational insights, improving communication, decision-making, and readiness. Other methods, such as operations-focused control testing, simulated phishing, or passive monitoring, may provide value in specific areas but do not offer the same comprehensive evaluation of incident response capabilities. Therefore, option C is the most appropriate choice for testing readiness, ensuring that the organization is better prepared to respond to real incidents and minimizing potential impact on operations.

7. Question:

Within Domain 7 (Security Operations), which of the following best describes the purpose of a Security Information and Event Management (SIEM) system?

A) It replaces antivirus software on all endpoints
B) It consolidates and correlates logs from multiple sources to support detection and response
C) It automatically blocks all external network traffic by default
D) It performs vulnerability scanning and behaviour analysis on desktop systems

Answer: B) It consolidates and correlates logs from multiple sources to support detection and response.

Explanation:

In the field of security operations, as described in Domain 7 of the CISSP Common Body of Knowledge, organizations rely on tools and processes to ensure continuous monitoring, detect threats, respond to incidents, and maintain comprehensive logging and auditing. Security Information and Event Management, or SIEM, systems are central to this function. A SIEM system collects, normalizes, and correlates logs and events from a wide variety of sources, including network devices, servers, endpoints, applications, and security appliances. This aggregation allows security teams to gain a unified view of their environment, detect suspicious patterns, and respond effectively to potential incidents. In this context, option B is the correct answer because it accurately reflects the role and capabilities of a SIEM system.

The primary function of a SIEM system is to collect logs and events from diverse sources. Each system or device generates its own log format and structure, which can make manual monitoring and analysis extremely difficult. A SIEM normalizes these logs into a consistent format, making it possible to perform meaningful analysis across different data types and sources. This normalization process is critical because it allows correlation and pattern recognition, enabling security teams to detect complex attacks that might span multiple systems or components.

Event correlation is another key function of a SIEM. By analyzing normalized logs from multiple sources, a SIEM can identify relationships between events and detect anomalies that could indicate security incidents. For example, multiple failed login attempts across several servers followed by a successful login could be flagged as suspicious activity. Correlation rules can be predefined, based on known attack patterns, or adaptive, leveraging machine learning to identify unusual behavior. This capability allows SIEM systems to detect incidents that might not be obvious if each log were analyzed in isolation.

In addition to event collection and correlation, SIEM systems provide alerting and visualization through dashboards. Security teams can monitor real-time activity, prioritize alerts, and investigate potential threats. Dashboards offer a visual representation of the security posture, showing trends, anomalies, and areas that require attention. This centralized visibility is essential for timely incident response, as it allows teams to quickly focus on high-priority issues and coordinate responses across the organization.

Option A is not correct because SIEM does not replace antivirus or endpoint protection. While SIEM may collect and analyze logs from antivirus systems, its role is not to directly detect malware on a single device. Antivirus software provides endpoint-level protection, scanning files and processes for known threats, whereas SIEM provides a broader, organizational-level view of security events and trends. Relying solely on antivirus software without integrating it into a SIEM for correlation would leave gaps in threat detection and visibility.

Option C is overly broad and unrealistic because blocking all network traffic is not a practical or effective security measure. Such an approach would disrupt normal business operations and is not feasible for protecting an entire environment. While SIEM systems can trigger automated responses, including blocking malicious activity in some integrated environments, the primary function of a SIEM is monitoring, correlation, and alerting rather than indiscriminate blocking.

Option D, which relates more to endpoint vulnerability scanning, addresses a different aspect of security operations. Vulnerability scanning identifies weaknesses in systems or applications that could be exploited, but it does not provide continuous monitoring, correlation, or centralized event management. Vulnerability scanners and SIEM systems complement each other, but the core function of a SIEM remains focused on log collection, normalization, correlation, alerting, and investigation, rather than detecting or remediating endpoint vulnerabilities directly.

In summary, SIEM systems are a cornerstone of modern security operations. They enable organizations to collect logs from diverse sources, normalize the data, correlate events, and provide actionable alerts and visualizations. This centralized approach allows security teams to detect complex threats, respond to incidents promptly, and maintain ongoing visibility into the security posture of the organization. Options A, C, and D describe functions that may be related to security, but they do not accurately represent the primary role of a SIEM system. Option B is the most accurate choice, reflecting the collection, normalization, correlation, and alerting capabilities that make SIEM an essential tool in continuous monitoring and incident response.

8. Question:

In Domain 8 (Software Development Security), what is the primary benefit of performing a code review for a web application before deployment?

A) It guarantees there will be no vulnerabilities in the code
B) It helps identify security defects such as injection flaws, insecure error handling, or insecure input validation, before production
C) It replaces the need for dynamic testing in production
D) It ensures the performance of the application will meet SLAs

Answer: B) It helps identify security defects such as injection flaws, insecure error handling, or insecure input validation, before production.

Explanation:

Software Development Security (Domain 8) addresses secure software lifecycle practices, including secure design, coding, testing, and deployment. Conducting a code review helps to detect security weaknesses (e.g., SQL injection, cross-site scripting, insecure error handling, improper input validation) early, when they are cheaper and easier to fix. Option B is the correct benefit. Option A is too absolute (you can never guarantee “no vulnerabilities”). Option C is incorrect – code review complements dynamic testing but does not replace it. Option D is about performance, not security.

9. Question:

A security governance framework mandates that all organizational decisions must align with business strategy, risk appetite, and regulatory requirements. In which domain of the CISSP CBK is this concept primarily covered?

A) Domain 2 – Asset Security
B) Domain 4 – Communication & Network Security
C) Domain 1 – Security & Risk Management
D) Domain 7 – Security Operations

Answer: C) Domain 1 – Security & Risk Management.

Explanation:

Domain 1 (Security & Risk Management) covers governance principles, alignment of security with the organisation’s strategy, risk management, compliance, and legal/regulatory aspects. ISC2+1 The question refers to aligning decisions with business strategy, risk appetite, and regulatory requirements – clearly governance/risk management, so Domain 1 is the correct answer.

10. Question:

Which of the following is an example of a preventive control rather than a detective or corrective control, in the context of the CISSP domains?

A) Security cameras recording access to the data centre
B) Network intrusion detection system (IDS) alerting on suspicious traffic
C) Requiring multi-factor authentication (MFA) for administrative login
D) Applying patches after a vulnerability has been exploited

Answer: C) Requiring multi-factor authentication (MFA) for administrative login.

Explanation:

Controls are often classified as preventive, detective, or corrective. A preventive control aims to stop an incident before it happens. Requiring MFA (option C) prevents unauthorized access in the first place. Option A (security cameras) is detective (monitoring after the fact). Option B (IDS alerts) is also detective (not preventive). Option D (patching after exploitation) is corrective (responding post-incident). So C is the correct choice.

11. Question:

Your organisation is moving certain systems to a third-party cloud provider. Which of the following is the most critical supply-chain risk to address under Domain 1 (Security & Risk Management) and Domain 2 (Asset Security)?

A) The third-party provider might have slower performance than the current on-premises systems
B) The third-party provider might use hardware components with unknown provenance, leading to implant risk or counterfeit components
C) The third-party provider may be located in the same country as your main site
D) The third-party provider might offer too many features you do not need

Answer: B) The third-party provider might use hardware components with unknown provenance, leading to implant risk or counterfeit components.

Explanation:

Supply Chain Risk Management (SCRM) is explicitly mentioned in Domain 1 (Security & Risk Management) under “Establish supply chain risk management concepts,” which includes risks such as product tampering, counterfeits, implants, and unknown components. ISC2+1 When migrating to a third-party cloud provider, one of the most critical risks is using components whose lineage or security has not been fully verified (option B). The other options are less critical from a security risk standpoint: slower performance (A) is operational/usability, same country (C) may be neutral or positive, extra features (D) is cost/compliance, but not as critical as tampered hardware.

12. Question:

When performing a security architecture review of a legacy system, you identify that data at rest is encrypted using a deprecated algorithm, and the key management is weak. Under Domain 3 (Security Architecture & Engineering), what should be your first recommendation?
A) Immediately decommission the system regardless of business impact
B) Document the weakness and recommend migration to a modern algorithm and robust key management, with a timeline according to risk severity
C) Remove all encryption to simplify management
D) Move the encryption keys to the same system so it is easier to manage

Answer: B) Document the weakness and recommend migration to a modern algorithm and robust key management, with a timeline according to risk severity.

Explanation:

In Domain 3 (Security Architecture & Engineering), part of secure engineering is ensuring cryptographic controls remain current (algorithm strength, key management practices) and providing risk-based remediation if they are not. The correct action is to assess the risk, document the weakness, and recommend an appropriate migration path (option B). Option A is extreme and may not be feasible without business impact analysis. Option C is removing encryption, which reduces confidentiality and is worse. Option D (moving keys to the same system) weakens key management, creating a single point of compromise. So B is the best.

13. Question:

In designing a global Virtual Private Network (VPN) infrastructure under Domain 4 (Communication & Network Security), which factor is least relevant from a security architecture perspective?
A) Ensuring encryption algorithms meet current standards (e.g., AES-256 rather than DES)
B) Ensuring proper lifespan of session keys and re-keying procedures
C) Selecting VPN endpoints solely because they are the cheapest vendor, regardless of security features
D) Ensuring split-tunnelling is disabled when connecting to corporate internal resources

Answer: C) Selecting VPN endpoints solely because they are the cheapest vendor regardless of security features.

Explanation:

When designing a secure VPN infrastructure, important considerations (A, B, D) are very relevant: encryption algorithm strength, session key lifecycle, and disabling split tunnelling when internal resources are accessed (to avoid bypassing controls). Option C is least relevant from a security perspective because choosing a vendor solely on cost without verifying security features is risky and may compromise the overall security architecture. Therefore, re C is the correct answer in the “least relevant” category.

14. Question:
    

Under Domain 5 (Identity & Access Management – IAM), which of the following correctly describes the “principle of least privilege”?

A) Assign each user full administrative rights by default and reduce them only if auditing shows misuse
B) Users should only be given the minimum access rights necessary to perform their job functions, and no more
C) All users should have access to all systems to ensure productivity
D) The vendor’s default user IDs and passwords are acceptable as long as they work

Answer: B) Users should only be given the minimum access rights necessary to perform their job functions, and no more.

Explanation:

The principle of least privilege is a core IAM concept in CISSP Domain 5: users are granted only the permissions necessary to perform their tasks and nothing more, reducing the potential attack surface and impact of compromise. Option B articulates this correctly. Option A is reversed (giving full rights then reducing); Option C is opposite; Option D is insecure (using vendor default credentials). So B is correct.

15. Question:
    

During a penetration test of an organisation’s network, the testers gain access to a privileged account because the password had not changed since deployment. Which of the following controls in Domain 6 (Security Assessment & Testing) would best have prevented this outcome?

A) Having a firewall between the network segments
B) Running a periodic credential-age audit and forcing password reset every 90 days
C) Disabling the firewall logging because it uses storage
D) Allowing administrators to reuse the same password across multiple systems

Answer: B) Running a periodic credential-age audit and forcing password reset every 90 days.

Explanation:

Security Assessment & Testing (Domain 6) includes testing of controls (technical, procedural) to ensure compliance and effectiveness. A periodic audit of credential age (and enforcing resets) would have caught the long-unchanged password before it became a weakness. Option B is correct. Option A (firewall) may help with segmentation, but doesn’t directly address the credential age. Option C (disabling firewall logging) is counterproductive. Option D (password reuse) is insecure and increases risk. So B is the best preventive control in this scenario.

16. Question:

In the context of Domain 7 (Security Operations), which of the following best describes a corrective control?
A) Implementing intrusion detection that alerts security operations when an attack is underway
B) Conducting quarterly security awareness training for employees
C) Restoring system backups and applying patches after a malware incident has occurred
D) Using strong encryption on sensitive data to prevent unauthorised access

Answer: C) Restoring system backups and applying patches after a malware incident has occurred.

Explanation:

In the taxonomy of controls, a corrective control reduces the impact of a successful incident or restores systems to normal after an incident. Option C (restore backups, apply patches after malware) is corrective. Option A is detective (alerting). Option B is preventive/awareness. Option D is preventive (encryption). So C is correct for a corrective control in the operations domain.

17. Question:
    

Which of the following best describes defence in depth, and in which CISSP domain is it most emphasized?

A) A single strong firewall is sufficient; emphasised primarily in Domain 8 (Software Development Security)
B) Multiple layers of security controls (technical, procedural, physical) so that no single control’s failure leads to compromise; emphasised across many domains but especially in Domain 4 (Communication & Network Security) and Domain 3 (Security Architecture & Engineering)
C) A software development methodology where each developer reviews each other’s code; emphasised only in Domain 2 (Asset Security)
D) A data classification scheme where all data is encrypted; emphasised only in Domain 6 (Security Assessment & Testing)

Answer: B) Multiple layers of security controls (technical, procedural, physical) so that no single control’s failure leads to compromise; emphasised across many domains but especially in Domain 4 (Communication & Network Security) and Domain 3 (Security Architecture & Engineering).

Explanation:

Defence in depth means having overlapping layers of security controls—so if one fails, others still provide protection. This concept is central to the architecture and network design domains (Domain 3 and Domain 4), but is applicable across the entire CISSP CBK. Option B is correct. Option A is incorrect as it suggests a single strong firewall is sufficient and misplaces the emphasis domain. Option C is about peer review, not defence in depth. Option D is about encryption and is attributed to Domain 6 only. So B is the best answer.

18. Question:
    

An application development team is following a secure development lifecycle in Domain 8 (Software Development Security). They decide to include security requirements, threat modelling, code reviews, vulnerability scanning, and penetration testing. Which activity among these is most effective for identifying design-level security flaws early in the lifecycle?
A) Penetration testing of the production environment
B) Vulnerability scanning of compiled binaries
C) Threat modelling during the architecture phase
D) Code review right before deployment

Answer: C) Threat modelling during the architecture phase.

Explanation:

Threat modelling during the architectural/design phase is most effective for finding design-level security flaws (e.g., how data flows, what threats exist, what controls are required) early, when fixes are cheaper and more effective. This is strongly emphasised under Domain 8. While code review (D) and vulnerability scanning (B) are valuable, they tend to find implementation issues rather than design flaws. Penetration testing of production (A) is the latest stage and most expensive. So C is the best choice.

19. Question:

A company operating in multiple jurisdictions must comply with the General Data Protection Regulation (GDPR) and must also consider the risk of cross-border data flows. Under which domain of the CISSP CBK is this scenario primarily addressed?
A) Domain 2 – Asset Security
B) Domain 1 – Security & Risk Management
C) Domain 5 – Identity & Access Management
D) Domain 7 – Security Operations

Answer: B) Domain 1 – Security & Risk Management.

Explanation:

Legal, regulatory, and compliance issues (including trans-border data flows, privacy laws like GDPR) are explicitly covered under Domain 1 (Security & Risk Management) in the CISSP exam outline. ISC2+1 Although Asset Security (Domain 2) deals with data classification, etc., the cross-border/ regulatory compliance aspect falls within governance/risk. Therefore,e B is correct.

20. Question:
    

Which of the following scenarios most clearly demonstrates a business continuity requirement being addressed under Domain 1 and Domain 7?

A) Installing antivirus software on all workstations
B) Conducting a business impact analysis to identify critical systems, then implementing redundant infrastructure and disaster recovery plans to minimise downtime
C) Encrypting all emails exchanged externally
D) Developing a mobile app for employees to track their vacation days

Answer: B) Conducting a business impact analysis to identify critical systems, then implementing redundant infrastructure and disaster recovery plans to minimise downtime.

Explanation:

When considering strategies to ensure the resilience and continuous operation of an organization during unexpected disruptions, the correct approach is option B: conducting a business impact analysis to identify critical systems, then implementing redundant infrastructure and disaster recovery plans to minimize downtime. This approach directly aligns with the principles of business continuity and disaster recovery, which are core components of the Security and Risk Management domain and also relate to Security Operations due to their operational focus. To fully understand why option B is correct and the other options are less relevant, it is helpful to examine each choice in the context of business continuity, risk management, and organizational resilience.

Business continuity and disaster recovery planning are proactive strategies designed to ensure that an organization can continue operating and recover quickly when unexpected events occur. Disruptions can take many forms, such as natural disasters, technological failures, cyberattacks, or human errors. The main goal is to minimize downtime, preserve critical operations, and maintain confidence among stakeholders.

A structured approach to business continuity begins with a business impact analysis. This is a systematic process used to identify and evaluate the potential effects of disruptions on business operations. By conducting a business impact analysis, an organization can determine which systems, processes, and resources are essential for maintaining operations. Critical systems might include financial platforms, communication networks, manufacturing processes, or supply chain systems. The business impact analysis helps prioritize recovery efforts and ensures that resources are focused on systems whose disruption would have the greatest operational and financial impact.

Once critical systems are identified, the organization can implement strategies to mitigate risks and ensure continuity. This usually involves redundancy and disaster recovery plans. Redundancy can include backup hardware, network failovers, or geographic replication of systems. Disaster recovery plans provide step-by-step procedures to restore systems and operations after a disruption. Together, redundancy and disaster recovery plans allow organizations to restore critical functions within acceptable timeframes and minimize operational downtime. This approach ensures that business operations continue with as little interruption as possible.

Installing antivirus software on all workstations is an important preventive measure for endpoint security, but it does not directly address business continuity. Antivirus software protects individual devices from malware but does not provide strategies for maintaining or restoring operations in the event of a significant disruption. Option C, encrypting all emails exchanged externally, is a form of data protection that ensures confidentiality but does not ensure continuity of operations or recovery from disruptions. Option D, developing a mobile app for employees to track vacation days, is mainly an administrative convenience and has no significant impact on organizational resilience or disaster recovery planning.

Business continuity and disaster recovery intersect with multiple areas of security. They are closely related to risk management because identifying critical systems and prioritizing recovery actions are key components of understanding and mitigating operational risks. They also relate to security operations, as operational procedures must be in place to maintain services, monitor systems, and execute recovery plans during disruptions. By integrating these areas, organizations can maintain essential operations, secure their assets, and recover quickly from unexpected events.

In conclusion, which involves conducting a business impact analysis followed by implementing redundant infrastructure and disaster recovery plans, is the most comprehensive approach for maintaining business operations during disruptions. Other options, while valuable for security or administrative efficiency, do not address the continuity of critical business functions. Option B represents a proactive and structured approach to ensuring that organizations remain operational, minimize downtime, and recover effectively in the face of unexpected events.