CertGrid
Security Certification

(ISC)² CISSP Practice Exam

Validates broad security leadership knowledge across 8 domains — security and risk management, asset security, architecture, IAM, operations, and more.

Practice 300 exam-style (ISC)² CISSP questions with full answer explanations, then take timed mock exams that score like the real thing.

Start practicing free Sign in
300
Practice questions
100
On the real exam
700
Passing score
240 min
Exam length

What the (ISC)² CISSP exam covers

Free (ISC)² CISSP sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 300.

  1. Question 1Security and Risk Management

    What does the CIA triad represent?

    • AConfidentiality, Identity, Authorization
    • BControl, Identity, Access
    • CConfidentiality, Integrity, AvailabilityCorrect
    • DCompliance, Integrity, Auditing
    ✓ Correct answer: C

    The CIA Triad defines three core security objectives: Confidentiality (ensuring data is not disclosed to unauthorized parties), Integrity (ensuring data is not altered without authorization), and Availability (ensuring data is accessible when needed). Different security controls address different CIA elements; encryption protects confidentiality while backups protect availability. Organizations must balance the three elements based on business requirements and data sensitivity. The appropriate level of each CIA element depends on the data classification.

    Why the other options are wrong
    • AConfidentiality, Identity, Authorization is incorrect because this option is incomplete and does not address the full requirement B.
    • BControl, Identity, Access is incorrect because this option is incomplete and does not address the full requirement D.
    • DCompliance, Integrity, Auditing is incorrect because this option is incomplete and does not address the full requirement
  2. Question 2Communication and Network Security

    Which segments a network to limit broadcast domains and contain breaches?

    • APublic IPs everywhere
    • BDisabling firewalls
    • CVLANs / subnetting with ACLsCorrect
    • DA single flat network
    ✓ Correct answer: C

    This answer directly addresses the key concept tested in this security certification question. Understanding this topic is essential for compliance and effective risk management. Organizations must implement this practice as part of their overall security and governance program. Regular assessment and improvement of this area ensures alignment with industry standards and regulatory requirements. This represents a critical control point in the security architecture.

    Why the other options are wrong
    • APublic IPs everywhere is incorrect because this option is incomplete and does not address the full requirement B.
    • BDisabling firewalls is incorrect because this option is incomplete and does not address the full requirement D.
    • DA single flat network is incorrect because this option is incomplete and does not address the full requirement
  3. Question 3Security and Risk Management

    Which metric best balances control spending against the value of risk reduction over time?

    • AMean time between failures (MTBF)
    • BTotal bandwidth consumed
    • CMaximum transmission unit (MTU)
    • DReturn on security investment (ROSI)Correct
    ✓ Correct answer: D

    This answer directly addresses the key concept tested in this security certification question. Understanding risk, control is essential for compliance and effective risk management. Organizations must implement this practice as part of their overall security and governance program. Regular assessment and improvement of this area ensures alignment with industry standards and regulatory requirements. This represents a critical control point in the security architecture.

    Why the other options are wrong
    • AMean time between failures (MTBF) is incorrect because this option is incomplete and does not address the full requirement B.
    • BTotal bandwidth consumed is incorrect because network performance is not relevant to this security control C.
    • CMaximum transmission unit (MTU) is incorrect because this option is incomplete and does not address the full requirement
  4. Question 4Security Architecture and Engineering

    Which OpenSSL command generates a 4096-bit RSA private key written to server.key?

    • Aopenssl rsa -in server.key 4096
    • Bopenssl req -new -key 4096
    • Copenssl genrsa -out server.key 4096Correct
    • Dopenssl dgst -rsa 4096 server.key
    ✓ Correct answer: C

    This answer directly addresses the key concept tested in this security certification question. Understanding this topic is essential for compliance and effective risk management. Organizations must implement this practice as part of their overall security and governance program. Regular assessment and improvement of this area ensures alignment with industry standards and regulatory requirements. This represents a critical control point in the security architecture.

    Why the other options are wrong
    • Aopenssl rsa -in server.key 4096 is incorrect because this option is incomplete and does not address the full requirement B.
    • Bopenssl req -new -key 4096 is incorrect because this option is incomplete and does not address the full requirement D.
    • Dopenssl dgst -rsa 4096 server.key is incorrect because this option is incomplete and does not address the full requirement
  5. Question 5Security Architecture and Engineering

    When designing a system around 'secure defaults,' which configuration best embodies the principle?

    • AAllow all traffic and block only known-bad patterns
    • BDeny by default and require explicit grants to enable access or featuresCorrect
    • CShip with all features enabled so users can disable what they don't need
    • DLeave administrative interfaces open until hardening is scheduled
    ✓ Correct answer: B

    This answer directly addresses the key concept tested in this security certification question. Understanding access is essential for compliance and effective risk management. Organizations must implement this practice as part of their overall security and governance program. Regular assessment and improvement of this area ensures alignment with industry standards and regulatory requirements. This represents a critical control point in the security architecture.

    Why the other options are wrong
    • AAllow all traffic and block only known-bad patterns is incorrect because this option is incomplete and does not address the full requirement C.
    • CShip with all features enabled so users can disable what they don't need is incorrect because this option is incomplete and does not address the full requirement D.
    • DLeave administrative interfaces open until hardening is scheduled is incorrect because this option is incomplete and does not address the full requirement
  6. Question 6Security and Risk Management

    A safeguard costs $40,000 per year. The threat it addresses has an SLE of $25,000 and an ARO of 0.8. Should the control be implemented based on quantitative analysis?

    • AYes — the ALE is $50,000, which exceeds the control cost
    • BNo — controls should never be purchased for risk below $100,000
    • CYes — any control reducing risk is always justified
    • DNo — the ALE is $20,000, which is less than the $40,000 annual control costCorrect
    ✓ Correct answer: D

    Annual Loss Expectancy (ALE) is calculated as Single Loss Expectancy (SLE) multiplied by Annual Rate of Occurrence (ARO): ALE = SLE × ARO. SLE is the financial impact of a single occurrence, while ARO is the expected number of times an event will occur in a year. ALE enables quantitative risk assessment by assigning numeric values based on historical data.

    Why the other options are wrong
    • AThis metric helps prioritize risks and justify control investment by comparing control costs to the risk reduction. Quantitative analysis requires detailed historical data and expert estimation of probability. Yes — the ALE is $50,000, which exceeds the control cost is incorrect because this option is incomplete and does not address the full requirement B.
    • BNo — controls should never be purchased for risk below $100,000 is incorrect because this option is incomplete and does not address the full requirement C.
    • CYes — any control reducing risk is always justified is incorrect because this option is incomplete and does not address the full requirement
  7. Question 7Security Operations

    What is the primary purpose of a SIEM in security operations?

    • ATo replace the need for backups
    • BTo centrally aggregate, correlate, and alert on log/event data from many sourcesCorrect
    • CTo assign IP addresses to hosts
    • DTo encrypt all endpoints automatically
    ✓ Correct answer: B

    Annual Loss Expectancy (ALE) is calculated as Single Loss Expectancy (SLE) multiplied by Annual Rate of Occurrence (ARO): ALE = SLE × ARO. SLE is the financial impact of a single occurrence, while ARO is the expected number of times an event will occur in a year. ALE enables quantitative risk assessment by assigning numeric values based on historical data. This metric helps prioritize risks and justify control investment by comparing control costs to the risk reduction. Quantitative analysis requires detailed historical data and expert estimation of probability.

    Why the other options are wrong
    • ATo replace the need for backups is incorrect because external controls do not replace technical controls; both are needed C.
    • CTo assign IP addresses to hosts is incorrect because IP address assignment is a network configuration task, not related to this control D.
    • DTo encrypt all endpoints automatically is incorrect because this option is incomplete and does not address the full requirement
  8. Question 8Security Operations

    What is 'dwell time' in the context of security monitoring and incident response?

    • AThe latency of a single network ping
    • BThe duration an attacker remains undetected in an environment before discoveryCorrect
    • CThe interval between scheduled backups
    • DThe time a server spends in a low-power idle state
    ✓ Correct answer: B

    This answer directly addresses the key concept tested in this security certification question. Understanding incident is essential for compliance and effective risk management. Organizations must implement this practice as part of their overall security and governance program. Regular assessment and improvement of this area ensures alignment with industry standards and regulatory requirements. This represents a critical control point in the security architecture.

    Why the other options are wrong
    • AThe latency of a single network ping is incorrect because this option is incomplete and does not address the full requirement C.
    • CThe interval between scheduled backups is incorrect because this option is incomplete and does not address the full requirement D.
    • DThe time a server spends in a low-power idle state is incorrect because this option is incomplete and does not address the full requirement
  9. Question 9Security and Risk Management

    A vendor's contract is up for renewal and you discover they store your customer PII in a region with weak privacy law. Management wants to keep the vendor but reduce exposure. Which action BEST treats this risk?

    • AAdd contractual clauses (data residency, breach notice, audit rights) and cyber insurance — combining mitigation and transferCorrect
    • BAccept the risk silently since the vendor is preferred
    • CIgnore residency because the contract is nearly signed
    • DAvoid all third parties and build everything in-house immediately
    ✓ Correct answer: A

    This answer directly addresses the key concept tested in this security certification question. Understanding risk, audit is essential for compliance and effective risk management. Organizations must implement this practice as part of their overall security and governance program. Regular assessment and improvement of this area ensures alignment with industry standards and regulatory requirements. This represents a critical control point in the security architecture.

    Why the other options are wrong
    • BAccept the risk silently since the vendor is preferred is incorrect because this option is incomplete and does not address the full requirement C.
    • CIgnore residency because the contract is nearly signed is incorrect because ignoring this risk or control would violate governance requirements D.
    • DAvoid all third parties and build everything in-house immediately is incorrect because this option is incomplete and does not address the full requirement
  10. Question 10Identity and Access Management

    In an OpenID Connect flow, which value is used by the client to detect and prevent token replay by binding the ID token to the original authentication request?

    • AThe nonce claim, which the client generates and verifies in the returned ID tokenCorrect
    • BThe state parameter, which signs the ID token
    • CThe scope parameter, which encrypts the ID token
    • DThe aud claim, which lists the token's expiration time
    ✓ Correct answer: A

    Authentication verifies that a user is who they claim to be. Single-factor authentication (password only) is vulnerable to compromise; multi-factor authentication (MFA) combines multiple factors: something you know (password), something you have (token), or something you are (biometric). MFA significantly reduces account compromise risk even if one factor is compromised. Step-up authentication applies stronger authentication for sensitive transactions. Authentication must be implemented across all systems and access points.

    Why the other options are wrong
    • BThe state parameter, which signs the ID token is incorrect because this option is incomplete and does not address the full requirement C.
    • CThe scope parameter, which encrypts the ID token is incorrect because this option is incomplete and does not address the full requirement D.
    • DThe aud claim, which lists the token's expiration time is incorrect because this option is incomplete and does not address the full requirement
Unlock all 300 (ISC)² CISSP questions

(ISC)² CISSP practice exam FAQ

How many questions are in the (ISC)² CISSP practice exam on CertGrid?

CertGrid has 300 practice questions for (ISC)² CISSP, covering 8 exam domains. The real (ISC)² CISSP exam has about 100 questions.

What is the passing score for (ISC)² CISSP?

The (ISC)² CISSP exam passing score is 700, and you have about 240 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.

Are these official (ISC)² CISSP exam questions?

No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of (ISC)² CISSP, with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.

Can I practice (ISC)² CISSP for free?

Yes. You can start practicing (ISC)² CISSP for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.