(ISC)² CCSP Practice Exam

What the (ISC)² CCSP exam covers

• Cloud Concepts, Architecture and Design42 questions
• Cloud Data Security49 questions
• Cloud Platform and Infrastructure Security52 questions
• Cloud Application Security47 questions
• Cloud Security Operations71 questions
• Legal, Risk and Compliance39 questions

Free (ISC)² CCSP sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 300.

1. Question 1Cloud Concepts, Architecture and Design

   In the cloud shared responsibility model, who is responsible for securing data and access configuration?

   • AThe customer (the provider secures the underlying cloud infrastructure)Correct
   • BNeither party
   • CAlways the provider
   • DA third-party auditor
   ✓ Correct answer: A

   This answer directly addresses the key concept tested in this security certification question. Understanding access is essential for compliance and effective risk management. Organizations must implement this practice as part of their overall security and governance program. Regular assessment and improvement of this area ensures alignment with industry standards and regulatory requirements. This represents a critical control point in the security architecture.

   Why the other options are wrong

   • BNeither party is incorrect because this option is incomplete and does not address the full requirement C.
   • CAlways the provider is incorrect because this option is incomplete and does not address the full requirement D.
   • DA third-party auditor is incorrect because this option is incomplete and does not address the full requirement
2. Question 2Cloud Application Security

   Why integrate security testing (SAST/DAST) into the CI/CD pipeline?

   • ATo replace all access controls
   • BTo encrypt the network
   • CTo catch vulnerabilities early and consistently before code reaches production (shift-left)Correct
   • DTo slow releases for no benefit
   ✓ Correct answer: C

   This answer directly addresses the key concept tested in this security certification question. Understanding this topic is essential for compliance and effective risk management. Organizations must implement this practice as part of their overall security and governance program. Regular assessment and improvement of this area ensures alignment with industry standards and regulatory requirements. This represents a critical control point in the security architecture.

   Why the other options are wrong

   • ATo replace all access controls is incorrect because external controls do not replace technical controls; both are needed B.
   • BTo encrypt the network is incorrect because this option is incomplete and does not address the full requirement D.
   • DTo slow releases for no benefit is incorrect because this option is incomplete and does not address the full requirement
3. Question 3Cloud Concepts, Architecture and DesignSelect all that apply

   Which TWO design choices reduce cost while preserving the ability to scale to demand? (Choose TWO)

   • ARight-sizing instances to observed utilizationCorrect
   • BStatically over-provisioning for peak load at all times
   • CLeaving idle non-production environments running 24x7
   • DAutoscaling that adds and removes capacity based on real demandCorrect
   ✓ Correct answer: A, D

   Annual Loss Expectancy (ALE) is calculated as Single Loss Expectancy (SLE) multiplied by Annual Rate of Occurrence (ARO): ALE = SLE × ARO. SLE is the financial impact of a single occurrence, while ARO is the expected number of times an event will occur in a year. ALE enables quantitative risk assessment by assigning numeric values based on historical data. This metric helps prioritize risks and justify control investment by comparing control costs to the risk reduction. Quantitative analysis requires detailed historical data and expert estimation of probability.

   Why the other options are wrong

   • BStatically over-provisioning for peak load at all times is incorrect because this option is incomplete and does not address the full requirement C.
   • CLeaving idle non-production environments running 24x7 is incorrect because this option is incomplete and does not address the full requirement
4. Question 4Cloud Platform and Infrastructure Security

   In an AWS security group, which CLI invocation permits inbound HTTPS only from the corporate CIDR 203.0.113.0/24?

   • Aaws ec2 authorize-security-group-ingress --group-id sg-1 --protocol tcp --port 443 --cidr 203.0.113.0/24Correct
   • Baws ec2 authorize-security-group-ingress --protocol tcp --port 443 --cidr 0.0.0.0/0
   • Caws ec2 authorize-security-group-egress --protocol tcp --port 22 --cidr 203.0.113.0/24
   • Daws ec2 revoke-security-group-ingress --protocol -1 --cidr 203.0.113.0/24
   ✓ Correct answer: A

   This answer directly addresses the key concept tested in this security certification question. Understanding this topic is essential for compliance and effective risk management. Organizations must implement this practice as part of their overall security and governance program. Regular assessment and improvement of this area ensures alignment with industry standards and regulatory requirements. This represents a critical control point in the security architecture.

   Why the other options are wrong

   • Baws ec2 authorize-security-group-ingress --protocol tcp --port 443 --cidr 0.0.0.0/0 is incorrect because this option is incomplete and does not address the full requirement C.
   • Caws ec2 authorize-security-group-egress --protocol tcp --port 22 --cidr 203.0.113.0/24 is incorrect because this option is incomplete and does not address the full requirement D.
   • Daws ec2 revoke-security-group-ingress --protocol -1 --cidr 203.0.113.0/24 is incorrect because this option is incomplete and does not address the full requirement
5. Question 5Cloud Concepts, Architecture and Design

   Which tradeoff favors choosing PaaS over IaaS for a new service?

   • AFull control of the hypervisor and physical hosts
   • Breduced operational burden (provider manages OS/runtime/patching) in exchange for less low-level controlCorrect
   • CGuaranteed lower cost in every scenario
   • DElimination of the customer's data security responsibility
   ✓ Correct answer: B

   This answer directly addresses the key concept tested in this security certification question. Understanding control is essential for compliance and effective risk management. Organizations must implement this practice as part of their overall security and governance program. Regular assessment and improvement of this area ensures alignment with industry standards and regulatory requirements. This represents a critical control point in the security architecture.

   Why the other options are wrong

   • AFull control of the hypervisor and physical hosts is incorrect because this option is incomplete and does not address the full requirement C.
   • CGuaranteed lower cost in every scenario is incorrect because this option is incomplete and does not address the full requirement D.
   • DElimination of the customer's data security responsibility is incorrect because this option is incomplete and does not address the full requirement
6. Question 6Cloud Concepts, Architecture and Design

   Which NIST essential cloud characteristic is the basis for chargeback/showback billing, and is sometimes confused with elasticity?

   • AResource pooling
   • BOn-demand self-service
   • CMeasured serviceCorrect
   • DRapid elasticity
   ✓ Correct answer: C

   This answer directly addresses the key concept tested in this security certification question. Understanding this topic is essential for compliance and effective risk management. Organizations must implement this practice as part of their overall security and governance program. Regular assessment and improvement of this area ensures alignment with industry standards and regulatory requirements. This represents a critical control point in the security architecture.

   Why the other options are wrong

   • AResource pooling is incorrect because this option is incomplete and does not address the full requirement B.
   • BOn-demand self-service is incorrect because this option includes unnecessary or incorrect components not part of the required solution D.
   • DRapid elasticity is incorrect because this option is incomplete and does not address the full requirement
7. Question 7Cloud Security Operations

   What is the primary purpose of a SIEM in a cloud security operations center?

   • AServe as the primary key management service
   • Baggregate and correlate logs/events from many sources to detect and alert on suspicious activityCorrect
   • CProvision new virtual machines on demand
   • DAct as the customer's authoritative DNS server
   ✓ Correct answer: B

   Annual Loss Expectancy (ALE) is calculated as Single Loss Expectancy (SLE) multiplied by Annual Rate of Occurrence (ARO): ALE = SLE × ARO. SLE is the financial impact of a single occurrence, while ARO is the expected number of times an event will occur in a year. ALE enables quantitative risk assessment by assigning numeric values based on historical data. This metric helps prioritize risks and justify control investment by comparing control costs to the risk reduction. Quantitative analysis requires detailed historical data and expert estimation of probability.

   Why the other options are wrong

   • AServe as the primary key management service is incorrect because this option is incomplete and does not address the full requirement C.
   • CProvision new virtual machines on demand is incorrect because this option is incomplete and does not address the full requirement D.
   • DAct as the customer's authoritative DNS server is incorrect because this option is incomplete and does not address the full requirement
8. Question 8Cloud Concepts, Architecture and Design

   When planning a 'lift-and-shift' (rehost) migration of legacy VMs to IaaS, which factor MOST limits realizing cloud-native benefits?

   • AIaaS cannot host migrated virtual machines
   • BThe workload retains its original architecture, so it cannot leverage autoscaling or managed services without refactoringCorrect
   • CLift-and-shift automatically converts the app to serverless
   • DRehosting always requires rewriting the database engine
   ✓ Correct answer: B

   This answer directly addresses the key concept tested in this security certification question. Understanding this topic is essential for compliance and effective risk management. Organizations must implement this practice as part of their overall security and governance program. Regular assessment and improvement of this area ensures alignment with industry standards and regulatory requirements. This represents a critical control point in the security architecture.

   Why the other options are wrong

   • AIaaS cannot host migrated virtual machines is incorrect because this option is incomplete and does not address the full requirement C.
   • CLift-and-shift automatically converts the app to serverless is incorrect because this option is incomplete and does not address the full requirement D.
   • DRehosting always requires rewriting the database engine is incorrect because this option is incomplete and does not address the full requirement
9. Question 9Cloud Platform and Infrastructure Security

   An app server in a private subnet can no longer reach an external API after a network change; the route table shows a default route to a NAT gateway, but the NAT gateway sits in the same private subnet. What is the most likely fix?

   • AAssign a public IP directly to the app server
   • BDelete the route table so default routing applies
   • CMove the NAT gateway to a public subnet that has a route to the internet gatewayCorrect
   • DDisable the security group on the app server
   ✓ Correct answer: C

   This answer directly addresses the key concept tested in this security certification question. Understanding this topic is essential for compliance and effective risk management. Organizations must implement this practice as part of their overall security and governance program. Regular assessment and improvement of this area ensures alignment with industry standards and regulatory requirements. This represents a critical control point in the security architecture.

   Why the other options are wrong

   • AAssign a public IP directly to the app server is incorrect because this option is incomplete and does not address the full requirement B.
   • BDelete the route table so default routing applies is incorrect because this option is incomplete and does not address the full requirement D.
   • DDisable the security group on the app server is incorrect because this option is incomplete and does not address the full requirement
10. Question 10Cloud Concepts, Architecture and Design

    Which trust model underlies a 'zero trust' cloud architecture?

    • ANever trust, always verify — authenticate and authorize every request regardless of network locationCorrect
    • BTrust any request that uses TLS
    • CTrust based solely on source IP address
    • DTrust everything inside the corporate network perimeter
    ✓ Correct answer: A

    This answer directly addresses the key concept tested in this security certification question. Understanding this topic is essential for compliance and effective risk management. Organizations must implement this practice as part of their overall security and governance program. Regular assessment and improvement of this area ensures alignment with industry standards and regulatory requirements. This represents a critical control point in the security architecture.

    Why the other options are wrong

    • BTrust any request that uses TLS is incorrect because this option is incomplete and does not address the full requirement C.
    • CTrust based solely on source IP address is incorrect because this option is incomplete and does not address the full requirement D.
    • DTrust everything inside the corporate network perimeter is incorrect because this option is incomplete and does not address the full requirement

(ISC)² CCSP practice exam FAQ