CISSP Practice Questions: 20 Free Questions with Answers (2026)

How to Use These Practice Questions

Each question includes a domain label matching the eight CBK domains and a difficulty marker. Read the question, choose your answer, then check the explanation. The questions below are weighted to reflect the real exam - Security and Risk Management is the heaviest domain at 16%, with the other domains between 10% and 13% each.

CISSP questions are not memory checks. They are judgment checks. When two answers look correct, the BEST answer is usually the one that reflects management responsibility, risk-based decision making, or business alignment rather than the deepest technical fix. If you find yourself reasoning "but technically..." you are probably picking the second-best answer.

These 20 questions are a small sample from the ReadRoost CISSP pack. The complete pack includes 500+ scenario-based questions, domain-weighted practice exams, and Roost AI explanations that reframe each question through the manager mindset. Start your free preview at readroo.st/marketplace/cissp-comprehensive.

Questions 1-5: Security and Risk Management + Asset Security

Domain: Security and Risk Management | Difficulty: Foundation 1. An organisation is selecting a security control framework to align with regulatory requirements and industry best practice. Which framework provides a comprehensive set of security and privacy controls that map directly to FISMA and NIST RMF processes? A) ISO/IEC 27002 B) NIST SP 800-53 C) PCI DSS D) COBIT 2019

Correct Answer: B NIST SP 800-53 provides the comprehensive control catalog used by US federal agencies under FISMA, with direct integration to the NIST Risk Management Framework (RMF). ISO 27002 is international guidance but not FISMA-aligned. PCI DSS is payment-card specific. COBIT 2019 is governance-focused, not a control catalog.

Domain: Security and Risk Management | Difficulty: Moderate 2. A new CISO discovers that the organisation has no documented data classification policy. Multiple business units handle confidential customer data without consistent protections. What should the CISO do FIRST? A) Deploy data loss prevention tools across all endpoints B) Encrypt all storage systems immediately C) Engage executive leadership to approve a data classification policy D) Implement role-based access control on all data stores

Correct Answer: C This is a classic CISSP manager-mindset question. Without an approved policy, technical controls (DLP, encryption, RBAC) have no defensible basis for which data they protect or why. Policy comes first - executive sign-off establishes the authority and the classification scheme that the technical controls then enforce. Jumping to tools is the technician's answer; getting the policy approved is the manager's answer.

Domain: Security and Risk Management | Difficulty: Challenging 3. After a quantitative risk assessment, an organisation calculates the Annualised Loss Expectancy (ALE) for a particular threat at $50,000. A proposed control would reduce the Annualised Rate of Occurrence by 80% and costs $25,000 per year to maintain. What is the cost-benefit analysis result, and should the control be implemented? A) Net benefit $15,000 per year, implement B) Net benefit $25,000 per year, implement C) Net cost $25,000 per year, do not implement D) Net benefit $40,000 per year, implement

Correct Answer: A Reduced ALE = $50,000 x (1 - 0.80) = $10,000. Risk reduction = $50,000 - $10,000 = $40,000. Net benefit = $40,000 - $25,000 = $15,000 per year. The control should be implemented. This is the standard CISSP cost-benefit calculation: subtract the residual ALE from the original ALE, then subtract the annual control cost.

Domain: Asset Security | Difficulty: Moderate 4. An organisation classifies its data into Public, Internal, Confidential, and Restricted categories. A business unit wants to share a Confidential dataset with an external research partner. Who has the authority to approve the release? A) The data custodian who manages the storage system B) The data owner accountable for the dataset C) The information security manager D) The chief privacy officer

Correct Answer: B The data owner is accountable for classification decisions and external sharing approvals. The data custodian implements technical controls but does not own the data. Security and privacy roles advise on risk and compliance but do not have authority to override the data owner's decisions. CISSP repeatedly tests the owner-vs-custodian distinction - the custodian operates, the owner decides.

Domain: Asset Security | Difficulty: Foundation 5. An organisation is decommissioning legacy hard drives that previously stored Restricted-classification customer data. Which sanitisation method provides the highest assurance that the data cannot be recovered? A) Single-pass overwrite with zeros B) Quick format and reuse C) Cryptographic erasure (only if originally encrypted) D) Physical destruction (shred or incinerate)

Correct Answer: D For Restricted data, physical destruction provides the highest assurance because no software-level recovery is possible. Cryptographic erasure is excellent IF the drive was encrypted from the start (and the key is destroyed), but it doesn't apply retroactively. Single-pass overwrite is acceptable for many classifications but not the highest assurance. Quick format leaves data fully recoverable.

Questions 6-10: Security Architecture + Communication and Network Security

Domain: Security Architecture and Engineering | Difficulty: Moderate 6. A development team is selecting a security model to enforce mandatory access controls in a multi-level secure system. The primary requirement is to prevent low-classification subjects from reading high-classification data and prevent high-classification subjects from writing to low-classification data. Which model addresses both requirements? A) Bell-LaPadula B) Biba C) Clark-Wilson D) Brewer-Nash

Correct Answer: A Bell-LaPadula enforces confidentiality through 'no read up' (Simple Security Property) and 'no write down' (Star Property), exactly the requirements stated. Biba enforces integrity ('no read down, no write up'). Clark-Wilson focuses on well-formed transactions for integrity. Brewer-Nash (Chinese Wall) prevents conflicts of interest in commercial systems.

Domain: Security Architecture and Engineering | Difficulty: Challenging 7. An architect is designing a system that processes sensitive data and must withstand attacks against the operating system itself. The system must enforce isolation between processes such that a compromise of the OS does not expose the protected data. Which architectural component provides this guarantee? A) Trusted Platform Module (TPM) B) Hardware Security Module (HSM) for cryptographic operations C) Trusted Execution Environment (TEE) such as Intel SGX or ARM TrustZone D) Virtualisation hypervisor with VLAN segmentation

Correct Answer: C A TEE provides hardware-enforced isolation such that even a compromised OS cannot access the protected enclave's memory. TPMs perform measured boot and key storage but do not isolate runtime data. HSMs protect cryptographic keys, not arbitrary application data. Virtualisation with VLANs is network segmentation, not memory isolation.

Domain: Security Architecture and Engineering | Difficulty: Foundation 8. An organisation needs to evaluate a vendor's claim that their product meets a specific security assurance level. Which standard provides an internationally recognised methodology for evaluating security functionality and assurance? A) FIPS 140-3 B) Common Criteria (ISO/IEC 15408) C) PCI DSS D) HIPAA

Correct Answer: B Common Criteria (ISO/IEC 15408) provides Evaluation Assurance Levels (EAL 1-7) for product security evaluation across nations. FIPS 140-3 is specific to cryptographic modules. PCI DSS and HIPAA are sector-specific compliance regimes, not product evaluation standards.

Domain: Communication and Network Security | Difficulty: Moderate 9. A security architect is designing a network for a financial services firm. Trading systems must communicate with external counterparties but should not be reachable from the corporate user network. What is the BEST design pattern? A) Place the trading systems in the corporate user VLAN with host-based firewalls B) Place the trading systems in a separate security zone with a dedicated firewall and explicit allow-list rules C) Use a single perimeter firewall with NAT to mask trading system addresses D) Place the trading systems on the public internet with strong authentication

Correct Answer: B Defence in depth with network segmentation (separate security zone) plus explicit allow-list rules limits the blast radius if either network is compromised. Host-based firewalls without segmentation rely on a single layer. NAT masking does not provide isolation. Internet-exposed systems for trading violate basic perimeter design even with strong auth.

Domain: Communication and Network Security | Difficulty: Challenging 10. A network administrator is implementing IPsec for site-to-site connectivity between two corporate offices. The requirement is for both authentication and confidentiality of the entire IP packet, including original headers. Which IPsec configuration meets this requirement? A) AH in transport mode B) ESP in transport mode C) AH in tunnel mode D) ESP in tunnel mode

Correct Answer: D ESP in tunnel mode encrypts the entire original IP packet (headers and payload) and adds a new outer header. This provides both confidentiality (encryption) and authentication (HMAC). AH provides authentication only, no confidentiality. Transport mode does not encapsulate the original headers. Tunnel mode is required for site-to-site VPN.

Questions 11-15: IAM + Security Assessment and Testing

Domain: Identity and Access Management | Difficulty: Moderate 11. An organisation is implementing a Zero Trust architecture. A user authenticates successfully with a strong credential, then attempts to access a sensitive application from an unmanaged personal laptop. According to Zero Trust principles, what should happen? A) Grant access because the user is authenticated B) Grant access because the credential is strong C) Evaluate device posture and grant least-privileged access only if compliant D) Deny access because the device is unmanaged

Correct Answer: C Zero Trust treats every access request as untrusted regardless of authentication. Device posture (managed/unmanaged, patched, EDR present) is evaluated alongside identity, and access is granted at the least-privilege level the combined risk assessment allows. Blanket allow-after-auth and blanket deny-on-unmanaged are both wrong - the architecture is risk-graduated, not binary.

Domain: Identity and Access Management | Difficulty: Foundation 12. An auditor is reviewing user access rights and finds that a finance employee transferred to the marketing department six months ago but still retains access to the finance system. Which access management failure does this represent? A) Authentication failure B) Authorisation failure C) Accounting failure D) Failure to enforce least privilege through periodic access review

Correct Answer: D The employee's authentication and authorisation worked - they could log in and access permitted resources. The failure is the absence of periodic access review and the joiner-mover-leaver process that should have revoked finance access on transfer. Privilege creep accumulates from missing reviews, not from auth or AuthZ engine failures.

Domain: Identity and Access Management | Difficulty: Moderate 13. An organisation is implementing federated single sign-on between an internal identity provider and a cloud HR application. Which protocol is most commonly used for browser-based federation in this scenario? A) Kerberos B) RADIUS C) SAML 2.0 D) LDAP

Correct Answer: C SAML 2.0 is the standard for browser-based federated SSO between an identity provider (IdP) and service provider (SP), exchanging XML-signed assertions. Kerberos works within a single Windows domain, not cross-organisation cloud federation. RADIUS is for network access. LDAP is a directory protocol, not a federation protocol. OAuth/OIDC are also valid for federation but were not in the option set.

Domain: Security Assessment and Testing | Difficulty: Moderate 14. An organisation is planning a penetration test against its public-facing web applications. Which testing approach simulates an external attacker with no prior knowledge of the systems? A) White box testing B) Black box testing C) Gray box testing D) Vulnerability scanning

Correct Answer: B Black box testing simulates an external attacker with no internal information, matching the realistic threat scenario for public-facing systems. White box (full information) tests insider threats or thorough audit. Gray box has partial information. Vulnerability scanning is automated discovery, not penetration testing - it lacks the exploit and post-exploit phases.

Domain: Security Assessment and Testing | Difficulty: Challenging 15. After a penetration test, the report identifies a critical SQL injection vulnerability that was successfully exploited to extract customer records. The IT team wants to fix the immediate issue and move on. What should the security manager recommend? A) Patch the SQL injection vulnerability and close the finding B) Patch the vulnerability AND identify why secure coding controls failed to prevent it C) Replace the application with a new framework D) Add a web application firewall and accept the risk

Correct Answer: B The vulnerability is the symptom; the failure of secure-coding standards (input validation, parameterised queries, code review, SAST) is the root cause. Patching alone leaves the underlying process gap intact and the next vulnerability will land in production the same way. CISSP repeatedly tests the difference between treating the symptom and treating the systemic cause - the manager looks for the systemic answer.

Questions 16-20: Security Operations + Software Development Security

Domain: Security Operations | Difficulty: Foundation 16. During an incident response, the team has contained an active intrusion and removed the attacker's access. According to the standard incident response lifecycle (NIST SP 800-61), what comes NEXT? A) Preparation B) Detection and Analysis C) Containment, Eradication, and Recovery D) Post-Incident Activity (lessons learned)

Correct Answer: D The NIST SP 800-61 lifecycle is: Preparation, Detection and Analysis, Containment Eradication and Recovery, then Post-Incident Activity. Once the team has contained and eradicated, the next phase is the lessons-learned review that turns the incident into improved preparation for next time. CISSP tests this lifecycle order frequently.

Domain: Security Operations | Difficulty: Moderate 17. An organisation is designing its disaster recovery strategy for a critical billing system. Business requirements specify that the system must be restored within 4 hours and that no more than 30 minutes of data loss is acceptable. Which two metrics define these requirements? A) RTO of 4 hours, RPO of 30 minutes B) RPO of 4 hours, RTO of 30 minutes C) MTBF of 4 hours, MTTR of 30 minutes D) MTD of 4 hours, WRT of 30 minutes

Correct Answer: A Recovery Time Objective (RTO) is the maximum acceptable time to restore service. Recovery Point Objective (RPO) is the maximum acceptable data loss measured backward from the failure. 4 hours to restore = RTO. 30 min of data loss = RPO. MTBF/MTTR are reliability metrics, not recovery requirements.

Domain: Security Operations | Difficulty: Challenging 18. A security operations centre detects a sustained pattern of authentication attempts against a service account from multiple geographic locations within a short period. Which mitigation provides immediate containment without breaking legitimate use? A) Disable the service account B) Force a password reset on the service account C) Apply Conditional Access geographic restrictions and require MFA for non-standard locations D) Add the source IPs to a global block list

Correct Answer: C Conditional Access with geographic restrictions and MFA contains the active threat (attacker is in unfamiliar locations) without disabling legitimate operations. Disabling the account is too disruptive if the service is critical. Password reset alone does not contain the attacker if they are still attempting. Global IP block lists do not scale and can cause collateral damage.

Domain: Software Development Security | Difficulty: Moderate 19. A development team is integrating security into their CI/CD pipeline. The team wants to detect vulnerable dependencies before code is merged to the main branch. Which testing technique addresses this requirement? A) Dynamic Application Security Testing (DAST) B) Static Application Security Testing (SAST) C) Software Composition Analysis (SCA) D) Interactive Application Security Testing (IAST)

Correct Answer: C Software Composition Analysis specifically scans dependencies (libraries, packages, container images) for known vulnerabilities and license issues, exactly the use case described. SAST analyses first-party source code. DAST tests running applications. IAST instruments applications during testing. SCA is the right tool for the supply-chain dependency layer.

Domain: Software Development Security | Difficulty: Challenging 20. An organisation is migrating to a microservices architecture. Each microservice is independently deployed and communicates via APIs. From a security perspective, what is the MOST important architectural shift compared to a monolithic application? A) Need to encrypt the database B) Need for centralised authentication and inter-service authorisation, plus a service mesh for mTLS C) Need to deploy a single perimeter firewall D) Need for a dedicated WAF for each service

Correct Answer: B Monolithic apps trust internal function calls. Microservices replace those calls with network requests across services that may run on different infrastructure. The MOST important shift is no longer trusting the internal network - this requires service-to-service authentication (mTLS via service mesh), centralised identity for users, and explicit authorisation for inter-service calls. Database encryption, perimeter firewalls, and WAFs are all relevant but not the architectural shift the question asks about.

Score Yourself, Then Drill the Gaps

18-20 correct: You are reading questions like a manager. Book the exam. The remaining gap is just exam-condition pacing under the 100-150 question adaptive format.

14-17 correct: Solid foundation, judgment is mostly there. The 3-6 questions you missed are the diagnostic - work the explanations until you can articulate WHY the wrong answers are wrong, not just why the right answer is right.

10-13 correct: You know the technical material but the manager-mindset reframe is not landing yet. CISSP rewards 'best answer in a management context' over 'technically correct'. This is a study-method gap, not a knowledge gap.

Under 10 correct: Step back to a structured study cycle before more practice questions. The CISSP study guide walks the eight domains with the right depth. Then come back to question banks.

ReadRoost's CISSP pack carries 500+ scenario questions across the eight domains, weighted to the real exam, plus Roost AI explanations that explicitly call out the manager-mindset reframe on every question. Start the free preview at readroo.st/marketplace/cissp-comprehensive.