ISC CISSP Certified Information Systems Security Professional Exam Dumps and Practice Test Questions Set 1 Q41-60

Visit here for our full ISC CISSP exam dumps and practice test questions.

Question 41:

A company wants to adopt a risk-based approach to patch management. Which factor should primarily determine patching priority under Domain 7 (Security Operations)?

A) Vendor patch release date
B) The number of devices affected
C) The criticality of assets and the exploitability of the vulnerability
D) The size of the patch file

 Answer: C) The criticality of assets and exploitability of the vulnerability.

Explanation:

Risk-based patching focuses on likelihood (exploit availability, exposure) and impact (asset importance). It prioritizes patching of high-risk vulnerabilities on critical systems first. Vendor release dates or patch size don’t determine urgency; asset value and exploitability do.

Question 42:

Under Domain 1 (Security & Risk Management), which best illustrates the concept of risk transference?

A) Installing redundant firewalls
B) Outsourcing data storage to a cloud provider with a signed liability clause
C) Disabling unused network ports
D) Accepting the risk of unpatched systems

Answer: B) Outsourcing data storage to a cloud provider with a signed liability clause.

Explanation:

Risk transference involves shifting financial responsibility to another party, such as via insurance or a vendor contract. Outsourcing with liability clauses does that. Installing redundant firewalls is risk mitigation, disabling ports is risk reduction, and accepting risk is retention, not transference.

Question 43:

Which statement best describes due diligence in information security?

A) Continuous activities to maintain compliance and monitor the effectiveness of controls
B) Initial research and evaluation before implementing a control
C) Acceptance of known risks for business reasons
D) Outsourcing risk to a vendor

Answer: B) Initial research and evaluation before implementing a control.

Explanation:

Due diligence is about investigation before action (e.g., evaluating vendors, assessing solutions). Due care is the ongoing act of maintaining protection. The exam often tests this distinction.

Question 44:

A network administrator configures VLANs to isolate departments. Under which domain does this control primarily fall?

A) Domain 4 – Communication & Network Security
B) Domain 5 – Identity & Access Management
C) Domain 7 – Security Operations
D) Domain 2 – Asset Security

Answer: A) Domain 4 – Communication & Network Security.

 Explanation 45:

VLAN segmentation enhances network security and performance, which is part of secure network design covered in Domain 4. It limits lateral movement and enforces least privilege at the network layer.

Question:

Under Domain 3 (Security Architecture & Engineering), what is the main purpose of the trusted computing base (TCB)?

A) To provide redundancy for system performance
B) To enforce security policy through hardware, firmware, and software components
C) To store encryption keys in nonvolatile memory
D) To manage virtualization resources 

Answer: B) To enforce security policy through hardware, firmware, and software components.

Explanation:

The TCB is the combination of all system components that enforce the security policy — including kernel, reference monitor, and access control mechanisms. It defines the system’s trust boundary. Other options don’t describe its function.

Question 46:

In Domain 2, a financial institution enforces different classification levels for “Public,” “Internal,” and “Confidential.” Which process ensures that access controls reflect these labels?

A) Risk transfer
B) Data classification enforcement
C) Key escrow management
D) Security policy exemption

Answer: B) Data classification enforcement.

Explanation:

Classification enforcement ensures controls (access, encryption, handling) match the assigned sensitivity level. It operationalizes the classification scheme. This ties directly to Domain 2’s focus on data lifecycle and protection.

Question 47:

Under Domain 8 (Software Development Security), which security principle is most violated when a developer hides security mechanisms instead of documenting them for peer review?

A) Security through obscurity
B) Economy of mechanism
C) Open design
D) Least privilege

Answer: C) Open design.

Explanation:

Open design states that security should not rely on secrecy of design but on robustness of mechanisms. “Security through obscurity” is an anti-pattern. Concealing mechanisms prevent peer review, weakening assurance.

Question 48:

A SOC analyst discovers unauthorized outbound data transfers from a database server. What is the first step in the incident response process under Domain 7?

A) Eradication
B) Containment
C) Identification
D) Recovery

Answer: C) Identification.

Explanation:

Incident response begins with identifying whether an event is indeed a security incident. Only after identification do containment, eradication, and recovery follow sequentially. Jumping ahead without confirming wastes resources or disrupts evidence.

Question:

Under Domain 4, which network technology provides data confidentiality, integrity, and authentication between sites over public networks?

A) MPLS
B) VPN using IPsec
C) VLAN trunking
D) DNS

Answer: B) VPN using IPsec.

Explanation:

IPsec (in transport or tunnel mode) ensures confidentiality (encryption), integrity (hashing), and authentication (IKE, certificates). MPLS focuses on routing efficiency, VLAN trunking is internal segmentation, and DNS is a naming service.

Question 49:

Which testing method in Domain 6 offers the least intrusive way to verify security posture while minimizing disruption to systems?

A) Penetration testing
B) Vulnerability scanning
C) Red team exercise
D) Code injection testing
Answer: B) Vulnerability scanning.

Explanation:

Vulnerability scans are automated and nonintrusive—they identify known weaknesses without exploitation. Penetration testing and red teaming actively exploit vulnerabilities; code injection testing targets application layers. Thus, scanning is the least intrusive.

Question 50:

Under Domain 3, what is the main objective of compartmentalization in secure system design?

A) To improve CPU scheduling
B) To isolate processes and data, reducing the impact of compromise
C) To increase system performance
D) To support single-threaded applications

Answer: B) To isolate processes and data, reducing the impact of compromise.

Explanation:

Compartmentalization is a critical principle in secure system and network architecture that focuses on isolating components to prevent a security breach in one segment from affecting other parts of the system. This principle is widely applied across both physical and digital domains and is closely aligned with the concepts of least privilege and containment. By understanding how compartmentalization works and its benefits, organizations can design more resilient systems that minimize the impact of attacks and improve overall security posture.

At its core, compartmentalization involves dividing a system or network into discrete segments or compartments, each with specific access controls, permissions, and policies. In digital environments, this may involve creating separate network zones, virtual local area networks (VLANs), isolated virtual machines, containerized applications, or microservices architectures. Each compartment is treated as a self-contained unit with defined boundaries, and communication between compartments is strictly controlled through firewalls, access control lists, or other security mechanisms. This segmentation ensures that if an attacker compromises one compartment, their ability to move laterally or access other sensitive systems is limited.

One of the key benefits of compartmentalization is damage containment. In a traditional flat network or monolithic system, a single breach can potentially expose all systems, data, and resources. An attacker who gains access to a critical server could exploit it to move across the network, escalate privileges, or exfiltrate sensitive data. By implementing compartmentalization, organizations limit the scope of any potential breach. For example, if a web server in one network segment is compromised, compartmentalization prevents the attacker from immediately accessing internal databases, sensitive financial systems, or administrative networks. Containing the damage in this way buys time for incident response teams to detect and mitigate the breach without catastrophic impact.

Compartmentalization also supports the principle of least privilege, which dictates that users, processes, and systems should have only the minimum access necessary to perform their functions. By combining compartmentalization with granular access controls, organizations ensure that even if credentials are compromised within a compartment, the attacker cannot access unrelated resources. For example, an employee in a marketing department may have access only to marketing-related applications and databases, while sensitive financial systems are isolated in a separate compartment. This approach reduces the likelihood of insider threats or credential misuse resulting in widespread compromise.

The principle of compartmentalization can be applied to both systems and data. For systems, network segmentation is a common approach, creating separate zones for different types of traffic, such as user workstations, servers, development environments, and external-facing services. Firewalls, virtual private networks (VPNs), and access control policies enforce boundaries between these zones, restricting communication to only what is necessary. For data, compartmentalization involves categorizing information based on sensitivity and applying access controls accordingly. Confidential or regulated data may be stored in isolated databases with strict encryption and monitoring, while less sensitive information may reside in more accessible compartments. This ensures that even if one data store is breached, the exposure of highly sensitive information is minimized.

Compartmentalization also enhances incident response and forensic capabilities. When a security incident occurs, clearly defined compartments allow security teams to identify the affected systems, isolate them, and contain the threat more effectively. It also simplifies forensic analysis, as investigators can focus on the impacted compartment without being overwhelmed by unrelated system logs or data. This controlled environment improves the speed and accuracy of response actions, which is essential for minimizing operational disruption and regulatory or compliance consequences.

In addition to security benefits, compartmentalization improves system stability and maintainability. By isolating components, organizations can apply updates, patches, and configuration changes to individual compartments without risking disruption to the entire system. This modular approach also supports testing and development, allowing changes to be validated within a compartment before deployment to production environments. Containerization and microservices architectures exemplify this concept, enabling developers to update or replace specific services independently, reducing downtime and operational risk.

Compartmentalization is often combined with other security strategies to create a layered defense, also known as defense in depth. In addition to isolation, organizations may implement monitoring, intrusion detection, encryption, and strict access control policies within each compartment. This multi-layered approach ensures that even if one layer fails, other layers continue to provide protection, further limiting potential damage. For example, an attacker who bypasses a firewall separating two compartments may still be prevented from accessing sensitive data by authentication controls, encrypted storage, or activity monitoring within the target compartment.

The principle of compartmentalization is not limited to technical controls. It can also be applied in organizational processes and physical security. For example, sensitive projects or information may be assigned to separate teams with restricted communication between groups. Physical facilities may implement compartmentalized access controls, such as secure rooms, locked cabinets, or badge-restricted areas, ensuring that personnel only access areas necessary for their duties. These measures extend the concept of isolation across the entire organization, reinforcing both operational security and data protection.

Despite its many benefits, implementing effective compartmentalization requires careful planning. Organizations must identify critical assets, define compartment boundaries, and establish communication policies that balance security with operational needs. Over-segmentation can introduce complexity, making management and maintenance difficult, while under-segmentation may leave systems vulnerable to lateral attacks. Security teams must carefully evaluate risk, performance, and usability when designing compartments to achieve an optimal balance.

In conclusion, compartmentalization is a fundamental principle in secure system and network architecture that involves segmenting systems and data into isolated compartments. This approach limits damage in the event of a breach, supports the principle of least privilege, enhances incident response and forensic capabilities, and contributes to overall system stability. By controlling access between compartments, organizations prevent attackers from moving laterally and ensure that compromises are contained, reducing operational, financial, and reputational risks. Compartmentalization is a versatile strategy that can be applied technically, organizationally, and physically, forming a cornerstone of a robust security architecture. Its effective implementation helps organizations build resilient systems capable of withstanding attacks while maintaining operational continuity, making it a best practice in modern cybersecurity and risk management.

Question 51:

A project manager asks whether data protection laws apply to the organization’s new e-commerce platform, collecting EU customer data. Which CISSP domain primarily governs this concern?

A) Domain 1 – Security & Risk Management
B) Domain 4 – Communication & Network Security
C) Domain 8 – Software Development Security
D) Domain 6 – Security Assessment & Testing

Answer: A) Domain 1 – Security & Risk Management.

Explanation:

Legal and regulatory compliance (like GDPR) is addressed in Domain 1. This domain ensures that governance and data protection obligations are understood and integrated into risk management.

Question 52:

Which backup strategy provides the fastest recovery time for mission-critical data under Domain 7?

A) Full backup only
B) Differential backup daily, full weekly
C) Mirroring (RAID 1 or synchronous replication)
D) Incremental backup every hour

Answer: C) Mirroring (RAID 1 or synchronous replication).

Explanation:

In disaster recovery and business continuity planning, understanding the differences between mirroring and backup strategies is essential for ensuring that data and applications remain available during outages, system failures, or other disruptive events. Both mirroring and backups are critical components of data protection, but they serve different purposes and provide different levels of recovery speed and granularity. Mirroring is a high-availability solution that provides real-time replication of data, whereas backups are historical snapshots that require restoration, resulting in longer recovery times. In the context of achieving the fastest recovery and minimizing data loss, mirroring offers significant advantages, particularly in environments where downtime or data loss is unacceptable.

Mirroring, also known as synchronous replication, involves maintaining an identical copy of data in real-time on a separate storage system or server. Every change made to the primary system is immediately replicated to the mirrored system, ensuring that both systems remain synchronized. This real-time replication allows for immediate failover in the event of a hardware failure, software error, or other disruption. Because the mirrored system contains a current, up-to-date copy of all data, recovery point objective (RPO) and recovery time objective (RTO) are effectively zero or near-zero. RPO represents the maximum acceptable amount of data loss, and in the case of mirroring, no data is lost because the secondary system mirrors every transaction as it occurs. RTO represents the maximum acceptable downtime, and mirroring minimizes this by allowing systems to switch over almost instantly.

The technical implementation of mirroring can vary depending on the environment. It may involve hardware-level solutions, such as disk array mirroring, or software-level replication across servers or storage clusters. In enterprise environments, mirroring is often part of high-availability clusters or storage area networks (SANs), providing seamless failover for critical applications such as databases, email systems, and financial transaction platforms. Cloud service providers may also offer mirroring capabilities across geographic regions, ensuring business continuity even in the event of a regional outage. The key advantage of mirroring is that it allows operations to continue without noticeable interruption, maintaining business continuity and operational resilience.

Backups, by contrast, are point-in-time copies of data that are stored separately from the primary system. Backups can be full, differential, or incremental. A full backup captures all data in a system at a particular point in time. A differential backup captures all changes made since the last full backup, while an incremental backup captures only changes made since the last backup of any type. While backups are critical for long-term data retention, regulatory compliance, and protection against accidental deletion or corruption, they do not provide real-time protection. Restoring data from backups involves retrieving the appropriate backup files, transferring them to the target system, and applying any necessary incremental or differential updates. This process requires time and effort, resulting in longer RTOs and greater potential for data loss between backups, which is reflected in the RPO.

The speed difference between mirroring and backups is substantial. In a mirrored system, failover can occur automatically or with minimal manual intervention, often within seconds or minutes. Users may experience little to no disruption because the mirrored system can assume the role of the primary system almost instantaneously. In contrast, restoring data from backups can take hours or even days, depending on the volume of data, network speeds, and the complexity of the restoration process. Moreover, any data created or modified after the most recent backup may be lost, creating an RPO that corresponds to the time elapsed since the last backup. For organizations that require continuous operations, such as financial institutions, e-commerce platforms, healthcare systems, and critical infrastructure providers, this delay is often unacceptable, making mirroring the preferred solution.

It is also important to understand that mirroring and backups are complementary rather than mutually exclusive. While mirroring provides immediate failover and minimal data loss, it does not protect against all types of data threats. For example, if a data corruption, accidental deletion, or ransomware attack occurs, the mirrored system will replicate the changes immediately, preserving the corrupted or compromised data. Backups provide historical snapshots that can be restored to a point before the incident occurred, offering protection against such scenarios. Therefore, an effective data protection strategy often combines both mirroring for real-time availability and backups for longer-term recovery and historical protection.

Implementing mirroring requires careful planning to ensure synchronization, minimize latency, and maintain system performance. Because all transactions are replicated in real-time, mirroring can introduce overhead, particularly in environments with high transaction volumes or long-distance replication. Organizations must also consider the cost of additional storage, networking infrastructure, and high-availability hardware to support mirrored systems. Despite these considerations, the investment in mirroring is justified in environments where minimizing downtime and data loss is critical, and the potential cost of business disruption exceeds the cost of the mirroring solution.

In conclusion, mirroring and backups serve different but complementary roles in disaster recovery and business continuity planning. Mirroring keeps an identical copy of data in real-time, allowing immediate failover and the fastest possible recovery with near-zero RPO and RTO. Backups, while essential for historical retention and protection against corruption or deletion, require restoration steps that are slower and may result in greater data loss. Organizations that prioritize continuous availability, minimal downtime, and rapid recovery often implement mirroring as a core component of their high-availability strategy, while also maintaining backups for long-term protection. By understanding the strengths and limitations of both approaches, organizations can design resilient, effective, and comprehensive data protection strategies that ensure operational continuity under a wide range of failure scenarios.

Question 53:

In Domain 5, which of the following authentication factors represents “something you are”?
A) Password
B) Smart card
C) Biometric fingerprint
D) PIN

Answer: C) Biometric fingerprint.

Explanation:

Authentication factors include: something you know (password, PIN), something you have (token, smart card), and something you are (biometric). Thus, fingerprint = “something you are.”

Question 54:

A company employs an intrusion prevention system (IPS) inline with network traffic. What type of control is this under the CISSP control classification?
A) Detective, administrative
B) Preventive, technical
C) Corrective, physical
D) Compensating, managerial

Answer: B) Preventive, technical.

Explanation:

An Intrusion Prevention System, or IPS, is a critical component of modern network security architectures. It is designed to actively monitor, detect, and prevent malicious network traffic from reaching target systems, making it a preventive technical control rather than a purely detective mechanism. Understanding why an IPS falls into the category of preventive controls requires examining its functionality, placement within security architectures, its distinction from other types of controls, and the broader role it plays in protecting organizational assets.

A preventive control is any security mechanism or process that is implemented to stop security incidents before they occur. Preventive controls are proactive measures designed to reduce the likelihood of an attack or limit its potential impact. In the case of an IPS, the system continuously analyzes network traffic, looking for known attack signatures, anomalies, and behavioral patterns that may indicate malicious activity. When the IPS identifies suspicious traffic, it can take immediate action to block it, drop packets, reset connections, or quarantine affected devices. By actively intervening in the traffic flow, the IPS prevents attacks from reaching vulnerable systems, making it a preventive rather than a reactive control.

The functionality of an IPS is often compared with that of an Intrusion Detection System, or IDS. While an IDS also monitors network traffic for suspicious activity, it is primarily a detective control. An IDS generates alerts and logs when potential threats are detected, allowing security teams to investigate and respond. Unlike an IPS, an IDS does not actively block or prevent attacks in real time. This distinction is crucial for understanding why IPSs are classified as preventive. The ability to take immediate action to stop threats differentiates preventive controls from detective ones, which focus on identifying incidents after they occur.

An IPS typically operates in-line with network traffic, meaning that all packets pass through the system before reaching their intended destination. This in-line deployment allows the IPS to intervene in real time, filtering out malicious traffic while allowing legitimate traffic to continue. Common techniques used by IPSs include signature-based detection, which matches traffic against known attack patterns; anomaly-based detection, which identifies deviations from normal network behavior; and stateful protocol analysis, which examines the context of traffic to detect suspicious activity. These methods enable the IPS to prevent attacks such as malware propagation, denial-of-service attempts, unauthorized access, and data exfiltration.

Preventive technical controls like IPSs are distinct from administrative and physical controls. Administrative controls involve policies, procedures, and guidelines that dictate how security is managed within an organization. Examples include acceptable use policies, security awareness training, incident response procedures, and access control policies. While administrative controls are essential for governance and compliance, they do not actively block attacks in real time. Their effectiveness depends on human adherence and enforcement, whereas a preventive technical control, like an IP, S, functions automatically and continuously, independent of user behavior.

Physical controls, on the other hand, provide environmental or physical barriers to protect assets. Examples include locks, security guards, surveillance cameras, access badges, and fencing. Physical controls are designed to prevent unauthorized access to buildings, data centers, or sensitive equipment, and while they are essential for comprehensive security, they operate in the physical domain rather than the network or software domain. An IPS operates entirely within the digital domain, intercepting and controlling network traffic, which differentiates it from environmental or administrative controls.

The strategic placement of an IPS within a network architecture enhances its preventive effectiveness. Typically, IPSs are deployed at network choke points, such as at the perimeter between internal networks and the internet, or between different internal network segments with varying security requirements. By positioning the IPS in these locations, organizations can monitor all incoming and outgoing traffic, prevent external attacks from penetrating internal systems, and control lateral movement by attackers who may already be inside the network. In addition to blocking attacks, modern IPSs often integrate with other security tools, such as firewalls, security information and event management (SIEM) systems, and endpoint protection platforms, creating a layered, defense-in-depth strategy.

One of the key benefits of using an IPS as a preventive control is that it reduces the risk exposure of critical assets. By stopping attacks before they reach vulnerable systems, an IPS limits potential damage, reduces recovery costs, and helps maintain business continuity. In contrast, relying solely on detective controls means that some attacks may succeed before being detected, increasing the likelihood of operational disruption, data loss, or regulatory noncompliance. A preventive technical control like an IPS complements detective controls, creating a proactive security posture that mitigates threats in real time while providing the data needed for analysis and future improvements.

It is also important to recognize the role of tuning and configuration in IPS effectiveness. Improperly configured or overly sensitive IPSs can generate false positives, blocking legitimate traffic and disrupting business operations. Conversely, under-tuned IPSs may fail to detect sophisticated attacks. Effective IPS deployment involves careful calibration of signature databases, anomaly detection thresholds, and integration with organizational security policies. Regular updates to attack signatures and ongoing monitoring are essential to maintaining the preventive efficacy of the system.

In conclusion, an Intrusion Prevention System is a preventive technical control because it actively blocks malicious network traffic before harm occurs. Its in-line deployment, real-time detection capabilities, and automated response mechanisms differentiate it from detective controls such as IDSs, administrative controls such as policies, and physical controls such as locks or barriers. By preventing attacks from reaching critical assets, IPSs reduce risk exposure, maintain business continuity, and support a proactive security posture. The preventive nature of an IPS, combined with proper configuration and integration into a layered security strategy, makes it an essential component of modern cybersecurity frameworks and best practices. Understanding the distinction between preventive, detective, administrative, and physical controls is crucial for security professionals tasked with designing and managing robust, effective defense mechanisms.

Question 55:

Under Domain 3, which of the following is a physical security control rather than a logical one?
A) Biometric access to server rooms
B) File permissions
C) Encryption keys
D) Session timeout configuration

Answer: A) Biometric access to server rooms.

Explanation 56:

Physical controls protect tangible assets—locks, guards, biometrics. Logical controls are software-based. Therefore, A is physical; the others are logical.

Question:

A software build includes open-source components. Under Domain 8, which is the best control to manage related security risks?
A) Ignore external libraries to save time
B) Maintain a Software Bill of Materials (SBOM) and perform dependency vulnerability scanning
C) Manually review only licensed components
D) Use older libraries for compatibility

Answer: B) Maintain a Software Bill of Materials (SBOM) and perform dependency vulnerability scanning.

Explanation:

A Software Bill of Materials, or SBOM, is an essential tool in modern software development and security practices. It provides a detailed inventory of all third-party and open-source components that are included in a software application. By maintaining an accurate and up-to-date SBOM, organizations gain visibility into the libraries, frameworks, and dependencies their applications rely on, which is crucial for patch management, vulnerability management, and regulatory compliance. SBOMs are increasingly recognized as a critical component of secure software development, particularly in the context of DevSecOps, software supply chain security, and risk management.

The main purpose of an SBOM is to track third-party components in software. Many modern applications are built on a combination of proprietary code and external dependencies. While these third-party libraries accelerate development and reduce costs, they also introduce potential security risks. Vulnerabilities in widely used open-source components, such as Log4j or Apache Struts, can be exploited if left unpatched, potentially impacting millions of users. An SBOM enables organizations to identify which components are included in their applications and monitor them for known vulnerabilities. Without such visibility, developers and security teams may be unaware of the presence of vulnerable libraries, increasing the likelihood of a successful attack.

Automated vulnerability scans complement SBOMs by actively checking the listed components for security issues. Software Composition Analysis (SCA) tools are commonly used for this purpose. These tools compare the versions of third-party libraries in the SBOM against databases of known vulnerabilities, such as the National Vulnerability Database (NVD) or vendor-specific advisories. When a vulnerability is identified, security teams can prioritize remediation based on severity, exploitability, and business impact. Automated scanning reduces manual effort, ensures continuous monitoring, and helps organizations respond quickly to emerging threats in the software supply chain.

Using an SBOM and automated scanning together supports several key security objectives. First, it improves integrity by ensuring that the software components being used are known, verified, and up-to-date. Integrity verification involves confirming that the versions of libraries listed in the SBOM match the actual components in the build environment and that no unauthorized modifications have occurred. Second, it supports confidentiality and availability indirectly, because unpatched vulnerabilities in software components can lead to data breaches or system outages. By proactively identifying and addressing these vulnerabilities, organizations reduce the risk of compromise and maintain trust in their software.

Regulatory compliance is another important benefit of SBOMs. Many industries, particularly healthcare, finance, and critical infrastructure, are subject to standards and regulations that require organizations to manage and report on software security practices. For example, the U.S. Executive Order on Improving the Nation’s Cybersecurity mandates the use of SBOMs for software purchased by federal agencies. Organizations that maintain accurate SBOMs demonstrate due diligence in tracking and managing third-party software, which can simplify audits and compliance reporting.

Ignoring the use of SBOMs or relying on outdated software components increases organizational risk significantly. Vulnerable components in applications can be exploited by attackers to gain unauthorized access, execute arbitrary code, or exfiltrate sensitive data. Furthermore, unpatched third-party libraries can introduce supply chain risks, where compromise of a widely used component impacts multiple applications and organizations. By not maintaining an SBOM or failing to act on vulnerability scan results, organizations leave themselves exposed to preventable threats and potential operational, financial, and reputational damage.

In addition to security and compliance benefits, SBOMs also improve software development efficiency. Developers can use SBOMs to understand component dependencies, identify redundant or outdated libraries, and streamline updates. When a vulnerability is discovered in a widely used component, an SBOM allows developers to quickly determine which applications are affected, accelerating the patching process and reducing downtime. This capability is particularly valuable in large-scale environments with complex applications and multiple teams contributing to software development.

Adopting SBOMs and automated scanning aligns with best practices in secure software development, as emphasized in the CISSP CBK, particularly in Domain 8, which covers software development security. Integrating these practices into DevSecOps pipelines ensures that security is considered throughout the software lifecycle, from design and coding to testing, deployment, and maintenance. Continuous monitoring of third-party components, combined with automated detection of vulnerabilities, creates a proactive approach to software security rather than a reactive one.

In conclusion, a Software Bill of Materials is a critical tool for managing the security and compliance of software applications. It provides visibility into third-party components, supports vulnerability detection through automated scans, and enables timely remediation of security issues. Ignoring SBOMs or using outdated code increases the risk of exploitation, supply chain compromise, and non-compliance with industry regulations. By implementing SBOMs and integrating automated scanning into development pipelines, organizations can improve software integrity, maintain operational resilience, and reduce security risks across their software supply chain. This proactive approach is essential for modern software development and aligns with best practices in secure SDLC, DevSecOps, and overall risk management.

Question 57:

Under Domain 7, the primary purpose of log aggregation and correlation is:

A) To reduce data retention needs
B) To enable centralised monitoring and detection of complex attack patterns
C) To store archives for compliance only
D) To decrease network bandwidth

Answer: B) To enable centralised monitoring and detection of complex attack patterns.

Explanation:

SIEM solutions aggregate and correlate logs to detect patterns across multiple systems—improving detection, response, and situational awareness. Compliance is a by-product, not the primary goal.

Question 59:

Which of the following is an example of a deterrent control under Domain 1?

A) Security camera visible to employees
B) Fire suppression system
C) Antivirus software
D) Data encryption

Answer: A) Security camera visible to employees.

Explanation:

Deterrent controls discourage violations by influencing behavior (e.g., warning signs, visible surveillance). Fire suppression is a physical corrective, antivirus is preventive, and encryption is a technical preventive.

Question 60:

A CISO calculates that a control costing $80,000 annually will reduce ALE from $250,000 to $100,000. What is the Return on Security Investment (ROSI)?

A) 87.5%
B) 62.5%
C) 25%
D) 18.75%

Answer: B) 62.5%. 

Explanation:

Return on Security Investment, or ROSI, is a key metric used in risk management to evaluate the financial effectiveness of security controls. It allows organizations to quantify the monetary benefits of implementing a security measure relative to its cost. Understanding ROSI is essential for CISSP candidates, security managers, and executives who must justify security expenditures and ensure that investments align with overall business objectives. In the scenario provided, the calculation of ROSI involves determining risk reduction, evaluating control costs, and applying the standard formula. The correct interpretation of ROSI supports effective decision-making in security investment planning.

ROSI is typically calculated using the formula: ROSI = (Risk reduction − Control cost) ÷ Control cost × 100. This approach considers not only the reduction in expected losses provided by the control but also the expense of implementing and maintaining it. By expressing the return as a percentage, ROSI provides an intuitive measure of how much benefit an organization receives for each dollar spent on security. A higher ROSI indicates that the security control delivers a greater return on investment, whereas a low or negative ROSI suggests that the cost may outweigh the benefits.

In the example provided, the expected risk reduction is calculated based on the potential financial losses the control mitigates. Suppose the potential loss from a security incident is $250,000 without any controls, and implementing a particular security measure reduces this risk to $100,000. The risk reduction is therefore $250,000 − $100,000 = $150,000. This represents the dollar amount of potential loss that is avoided due to the security control. Understanding the risk reduction component requires analyzing Single Loss Expectancy (SLE) and the Annual Rate of Occurrence (ARO) to estimate potential losses over time. By quantifying these values, organizations can assess the financial impact of threats and the benefits of protective measures.

The control cost refers to the total expense required to implement, operate, and maintain the security measure. In this scenario, the control cost is $80,000. This figure includes not only initial implementation costs, such as hardware, software, or consulting services, but also ongoing operational expenses like monitoring, updates, and personnel time. Accurate estimation of control costs is essential to ensure that ROSI calculations reflect the true financial burden of security investments.

Applying the formula for ROSI, the calculation proceeds as follows: ROSI = (Risk reduction − Control cost) ÷ Control cost × 100. Substituting the numbers, ROSI = ($150,000 − $80,000) ÷ $80,000 × 100 = $70,000 ÷ $80,000 × 100 = 87.5%. This calculation indicates that the security control provides an 87.5 percent return on investment, meaning that for every dollar spent on the control, the organization gains an additional $0.875 in avoided risk. This positive return suggests that the security measure is financially justified, as it reduces potential losses by an amount greater than its implementation and operational costs.

It is important to note that some references may simplify the formula as ROSI = (Risk reduction ÷ Control cost) × 100, which in this case would yield 187.5 percent. However, most CISSP and professional risk management references prefer the net benefit approach, where the cost of the control is subtracted from the risk reduction before dividing by the control cost. This approach reflects the actual net benefit to the organization and provides a more realistic evaluation of the security investment’s effectiveness. Using net benefit accounts for the fact that implementing controls has inherent costs and focuses on the incremental value delivered beyond the expenditure.

The practical value of ROSI extends beyond simple calculation. It allows decision-makers to compare multiple security initiatives and prioritize those with the highest financial return relative to their cost. For example, an organization may consider implementing two different security controls: one with a higher absolute risk reduction but significantly higher cost, and another with a moderate risk reduction but lower cost. Calculating ROSI for each option helps determine which control delivers the best return per dollar invested, enabling informed decisions that optimize the security budget.

ROSI also supports communication with stakeholders who may not be familiar with technical details but are responsible for approving budgets. Expressing security investments in financial terms, such as percentage return, facilitates business-oriented discussions and strengthens the justification for security expenditures. It aligns security initiatives with broader organizational goals, demonstrating that investments not only reduce risk but also deliver measurable financial benefits.

While ROSI is a valuable metric, it is important to recognize its limitations. Calculations rely on accurate estimates of potential losses, likelihood of occurrence, and control costs. Inaccurate or overly optimistic estimates can lead to misleading results. ROSI also does not account for intangible benefits such as improved reputation, regulatory compliance, or customer trust, which may be significant but difficult to quantify. Despite these limitations, ROSI remains an essential tool for evaluating and prioritizing security investments in a structured, business-focused manner.

In conclusion, ROSI provides a quantitative measure of the financial effectiveness of security controls. By calculating the net benefit of a control relative to its cost, organizations can determine whether a security investment is justified and prioritize actions that maximize return. In the scenario provided, with a risk reduction of $150,000 and a control cost of $80,000, the correct ROSI calculation using net benefit is 87.5 percent. This positive return confirms the value of the security measure and aligns with best practices in risk management and security investment decision-making. Understanding ROSI allows security professionals to communicate effectively with stakeholders, optimize resource allocation, and ensure that security initiatives provide both protection and tangible business value.