Is this exam completely free?

ExamCademy offers a free preview for every exam, covering around 20% of the total questions. Full access to all questions is available for free by signing up for an account. Optional supporters unlock AstroTutor (AI tutor) and advanced study modes.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! ExamCademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our practice questions are community-created and moderator-reviewed to align with realistic exam objectives, style, and difficulty.

CISSP by ISC - Page 1 | ExamCademy

Mode Selection

Question 1

Question 2

Question 3

What is the PRIMARY purpose of creating and reporting metrics for a security awareness, training, and education program?

A Measure the effect of the program on the organization's workforce.
B Make all stakeholders aware of the program's progress.
C Facilitate supervision of periodic training events.
D Comply with legal regulations and document due diligence in security practices.

Question 4

In a DevOps environment, which of the following actions is MOST necessary to have confidence in the quality of the changes being made?

A Prepare to take corrective actions quickly.
B Automate functionality testing.
C Review logs for any anomalies.
D Receive approval from the change review board.

Question 5

What is the MAIN purpose of a security assessment plan?

A Provide education to employees on security and privacy, to ensure their awareness on policies and procedures.
B Provide the objectives for the security and privacy control assessments and a detailed roadmap of how to conduct such assessments.
C Provide guidance on security requirements, to ensure the identified security risks are properly addressed based on the recommendation.
D Provide technical information to executives to help them understand information security postures and secure funding.

Question 6

What documentation is produced FIRST when performing an effective physical loss control process?

A Deterrent controls list
B Security standards list
C Asset valuation list
D Inventory list

Question 7

Which organizational department is ultimately responsible for information governance related to e-mail and other e-records?

A Legal
B Audit
C Compliance
D Security

Question 8

A cloud service provider requires its customer organizations to enable maximum audit logging for its data storage service and to retain the logs for the period of three months. The audit logging gene has extremely high amount of logs. What is the MOST appropriate strategy for the log retention?

A Keep all logs in an online storage.
B Keep last week's logs in an online storage and the rest in an offline storage.
C Keep last week's logs in an online storage and the rest in a near-line storage.
D Keep all logs in an offline storage.

Question 9

In Federated Identity Management (FIM), which of the following represents the concept of federation?

A Collection, maintenance, and deactivation of user objects and attributes in one or more systems, directories or applications
B Collection of information logically grouped into a single entity
C Collection of information for common identities in a system
D Collection of domains that have established trust among themselves

Question 10

Which of the following is an indicator that a company's new user security awareness training module has been effective?

A There are more secure connections to internal e-mail servers.
B More incidents of phishing attempts are being reported.
C Fewer incidents of phishing attempts are being reported.
D There are more secure connections to the internal database servers.

Question 11

An organization is trying to secure instant messaging (IM) communications through its network perimeter. Which of the following is the MOST significant challenge?

A IM clients can interoperate between multiple vendors.
B IM clients can run as executables that do not require installation.
C IM clients can utilize random port numbers.
D IM clients can run without administrator privileges.

Question 12

Using the cipher text and resultant cleartext message to derive the monoalphabetic cipher key is an example of which method of cryptanalytic attack?

A Known-plaintext attack
B Ciphertext-only attack
C Frequency analysis
D Probable-plaintext attack

Question 13

Which Wide Area Network (WAN) technology requires the first router in the path to determine the full path the packet will travel, removing the need for other routers in the path to make independent determinations?

A Synchronous Optical Networking (SONET)
B Multiprotocol Label Switching (MPLS)
C Fiber Channel Over Ethernet (FCoE)
D Session Initiation Protocol (SIP)

Question 14

When developing an organization's information security budget, it is important that the:

A requested funds are at an equal amount to the expected cost of breaches.
B expected risk can be managed appropriately with the funds allocated.
C requested funds are part of a shared funding pool with other areas.
D expected risk to the organization does not exceed the funds allocated.

Question 15

A subscription service which provides power, climate control, raised flooring, and telephone wiring but NOT the computer and peripheral equipment is BEST described as a:

A cold site.
B warm site.
C hot site.
D reciprocal site.

Question 16

An international trading organization that holds an International Organization for Standardization (ISO) 27001 certification is seeking to outsource their security monitoring to a managed security service provider (MSSP). The trading organization's security officer is tasked with drafting the requirements that need to be included in the outsourcing contract. Which of the following MUST be included in the contract?

A A detailed overview of all equipment involved in the outsourcing contract
B The right to perform security compliance tests on the MSSP's equipment
C The MSSP having an executive manager responsible for information security
D The right to audit the MSSP's security process

Question 17

Which of the following is the PRIMARY type of cryptography required to support non-repudiation of a digitally signed document?

A Hashing
B Message digest (MD)
C Symmetric
D Asymmetric

Question 18

What is the MOST effective method to enhance security of a single sign-on (SSO) solution that interfaces with critical systems?

A Two-factor authentication
B Reusable tokens for application level authentication
C High performance encryption algorithms
D Secure Sockets Layer (SSL) for all communications

Question 19

Which of the following is MOST appropriate to collect evidence of a zero-day attack?

A Honeypot
B Antispam
C Antivirus
D Firewall

Question 20

When assessing web vulnerabilities, how can navigating the dark web add value to a penetration test?

A Information may be found on hidden vendor patches.
B The actual origin and tools used for the test can be hidden.
C Information may be found on related breaches and hacking.
D Vulnerabilities can be tested without impact on the tested environment.

Question 21

The quality assurance (QA) department is short-staffed and is unable to test all modules before the anticipated release date of an application. What security control is MOST likely to be violated?

A Change management
B Separation of environments
C Program management
D Mobile code controls

Question 22

Which of the following criteria ensures information is protected relative to its importance to the organization?

A Legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification
B The value of the data to the organization's senior management
C Organizational stakeholders, with classification approved by the management board
D Legal requirements determined by the organization headquarters' location

Question 23

What is the FIRST step when developing an Information Security Continuous Monitoring (ISCM) program?

A Collect the security-related information required for metrics, assessments, and reporting.
B Establish an ISCM program determining metrics, status monitoring frequencies, and control assessment frequencies.
C Define an ISCM strategy based on risk tolerance.
D Establish an ISCM technical architecture.

Question 24

Which of the following would an information security professional use to recognize changes to content, particularly unauthorized changes?

A File Integrity Checker
B Security information and event management (SIEM) system
C Audit Logs
D Intrusion detection system (IDS)

Question 25

An organization has requested storage area network (SAN) disks for a new project. What Redundant Array of Independent Disks (RAID) level provides the BEST redundancy and fault tolerance?

A RAID level 1
B RAID level 3
C RAID level 4
D RAID level 5

Page 1 of 20 • Questions 1-25 of 484

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

Physical assets defined in an organization's business impact analysis (BIA) could include which of the following?

A Personal belongings of organizational staff members
B Disaster recovery (DR) line-item revenues
C Cloud-based applications
D Supplies kept off-site a remote facility

An organization has been collecting a large amount of redundant and unusable data and filling up the storage area network (SAN). Management has requested the identification of a solution that will address ongoing storage problems. Which is the BEST technical solution?

A Compression
B Caching
C Replication
D Deduplication

CISSPPreview