Is the CISSP practice exam free?

Yes. ExamCademy offers all 483 CISSP practice questions for free with a registered account. No payment needed. Optional supporter features add AI explanations and spaced repetition study tools.

How accurate are the CISSP practice questions?

All CISSP questions are community-created and reviewed by moderators to align with ISC's published exam objectives. The community continuously reports and fixes issues to keep content accurate and up to date.

How should I study for the CISSP exam?

Start by browsing practice questions to identify weak areas. Use spaced repetition (Learn Mode) to focus study time on topics you struggle with. Combine practice questions with official ISC documentation and hands-on experience for best results.

CISSP Practice Exam — Free 483+ Questions

483Practice Questions

3Study Modes

FreeTo Get Started

Topic:Sort:

Question 1

Security and Risk Management

Question 2

Security Architecture and Engineering

Question 3

Asset Security

Question 4

Asset Security

Question 5

Identity and Access Management (IAM)

Question 6

Security and Risk Management

Question 7

Security and Risk Management

Question 8

Software Development Security

Question 9

Security Architecture and Engineering

Question 10

Security Architecture and Engineering

Question 11

Security Assessment and Testing

Question 12

Identity and Access Management (IAM)

Question 13

Security Assessment and Testing

Question 14

Security Operations

Question 15

Communication and Network Security

Question 16

Asset Security

Question 17

Security Operations

Question 18

Communication and Network Security

Question 19

Communication and Network Security

Question 20

Identity and Access Management (IAM)

Question 21

Security Assessment and Testing

Question 22

Security Architecture and Engineering

Question 23

Security Assessment and Testing

Question 24

Asset Security

Question 25

Security and Risk Management

Page 1 of 20 • Questions 1-25 of 483

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

What is the PRIMARY reason for criminal law being difficult to enforce when dealing with cybercrime?

A Jurisdiction is hard to define.
B Law enforcement agencies are understaffed.
C Extradition treaties are rarely enforced.
D Numerous language barriers exist.

Which part of an operating system (OS) is responsible for providing security interfaces among the hardware, OS, and other parts of the computing system?

A Reference monitor
B Trusted Computing Base (TCB)
C Time separation
D Security kernel

The security architect is designing and implementing an internal certification authority to generate digital certificates for all employees. Which of the following is the
BEST solution to securely store the private keys?

A Physically secured storage device
B Trusted Platform Module (TPM)
C Encrypted flash drive
D Public key infrastructure (PKI)

Which of the following is the BEST way to protect an organization's data assets?

A Encrypt data in transit and at rest using up-to-date cryptographic algorithms.
B Monitor and enforce adherence to security policies.
C Require Multi-Factor Authentication (MFA) and Separation of Duties (SoD).
D Create the Demilitarized Zone (DMZ) with proxies, firewalls and hardened bastion hosts.

In a quarterly system access review, an active privileged account was discovered that did not exist in the prior review on the production system. The account was created one hour after the previous access review. Which of the following is the BEST option to reduce overall risk in addition to quarterly access reviews?

A Implement bi-annual reviews.
B Create policies for system access.
C Implement and review risk-based alerts.
D Increase logging levels.

When reviewing vendor certifications for handling and processing of company data, which of the following is the BEST Service Organization Controls (SOC) certification for the vendor to possess?

A SOC 1 Type 1
B SOC 2 Type 1
C SOC 2 Type 2
D SOC 3

What process facilitates the balance of operational and economic costs of protective measures with gains in mission capability?

A Performance testing
B Risk assessment
C Security audit
D Risk management

When auditing the Software Development Life Cycle (SDLC) which of the following is one of the high-level audit phases?

A Planning
B Risk assessment
C Due diligence
D Requirements

Which of the following does the security design process ensure within the System Development Life Cycle (SDLC)?

A Proper security controls, security objectives, and security goals are properly initiated.
B Security objectives, security goals, and system test are properly conducted.
C Proper security controls, security goals, and fault mitigation are properly conducted.
D Security goals, proper security controls, and validation are properly initiated.

A subscription service which provides power, climate control, raised flooring, and telephone wiring but NOT the computer and peripheral equipment is BEST described as a:

A cold site.
B warm site.
C hot site.
D reciprocal site.

What is the BEST approach to anonymizing personally identifiable information (PII) in a test environment?

A Swapping data
B Randomizing data
C Encoding data
D Encrypting data

An organization has implemented a protection strategy to secure the network from unauthorized external access. The new Chief Information Security Officer
(CISO) wants to increase security by better protecting the network from unauthorized internal access. Which Network Access Control (NAC) capability BEST meets this objective?

A Port security
B Two-factor authentication (2FA)
C Strong passwords
D Application firewall

Which of the following threats would be MOST likely mitigated by monitoring assets containing open source libraries for vulnerabilities?

A Distributed denial-of-service (DDoS) attack
B Advanced persistent threat (APT) attempt
C Zero-day attack
D Phishing attempt

Which of the following ensures old log data is not overwritten?

A Log retention
B Implement Syslog
C Increase log file size
D Log preservation

Which of the following virtual network configuration options is BEST to protect virtual machines (VM)?

A Data segmentation
B Data encryption
C Traffic filtering
D Traffic throttling

An organization has been collecting a large amount of redundant and unusable data and filling up the storage area network (SAN). Management has requested the identification of a solution that will address ongoing storage problems. Which is the BEST technical solution?

A Compression
B Caching
C Replication
D Deduplication

Which of the following is included in change management?

A Technical review by business owner
B User Acceptance Testing (UAT) before implementation
C Cost-benefit analysis (CBA) after implementation
D Business continuity testing

When designing a new Voice over Internet Protocol (VoIP) network, an organization's top concern is preventing unauthorized users accessing the VoIP network.
Which of the following will BEST help secure the VoIP network?

A 802.11g
B Web application firewall (WAF)
C Transport Layer Security (TLS)
D 802.1x

Which of the following is the PRIMARY type of cryptography required to support non-repudiation of a digitally signed document?

A Hashing
B Message digest (MD)
C Symmetric
D Asymmetric

An organization would like to ensure that all new users have a predefined departmental access template applied upon creation. The organization would also like additional access for users to be granted on a per-project basis. What type of user access administration is BEST suited to meet the organization's needs?

A Decentralized
B Hybrid
C Centralized
D Federated

What is the PRIMARY consideration when testing industrial control systems (ICS) for security weaknesses?

A ICS often run on UNIX operating systems.
B ICS often do not have availability requirements.
C ICS are often sensitive to unexpected traffic.
D ICS are often isolated and difficult to access.

A Simple Power Analysis (SPA) attack against a device directly observes which of the following?

A Magnetism
B Generation
C Consumption
D Static discharge

Which security audit standard provides the BEST way for an organization to understand a vendor's Information Systems (IS) in relation to confidentiality, integrity, and availability?

A Service Organization Control (SOC) 2
B Statement on Standards for Attestation Engagements (SSAE) 18
C Statement on Auditing Standards (SAS) 70
D Service Organization Control (SOC) 1

An organization is looking to include mobile devices in its asset management system for better tracking. In which system tier of the reference architecture would mobile devices be tracked?

A 0
B 1
C 2
D 3

A criminal organization is planning an attack on a government network. Which of the following scenarios presents the HIGHEST risk to the organization?

A Organization loses control of their network devices.
B Network is flooded with communication traffic by the attacker.
C Network management communications is disrupted.
D Attacker accesses sensitive information regarding the network topology.

CISSPPreview

About the CISSP Exam

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

CISSPPreview

About the CISSP Exam

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25