50 cissp practice questions Practice Questions: Question Bank 2025

A security manager is selecting a risk treatment option for a legacy web application that cannot be patched for six months. A compensating control (WAF) will reduce likelihood, but the residual risk remains above the organization's risk appetite. What is the BEST next step?

A healthcare organization needs to ensure that only the minimum necessary data is included in daily analytics exports sent to a third-party processor. Which control BEST supports this requirement?

An organization wants to protect a cryptographic private key used for code signing against extraction, even if the host operating system is compromised. Which solution BEST meets this requirement?

Users report that they can connect to a remote office network via VPN, but they cannot resolve internal hostnames; they can reach internal resources by IP address. Which is the MOST likely cause?

A company is implementing a single sign-on solution for multiple SaaS applications. The security requirement states that the enterprise identity provider must authenticate users and assert their identity to SaaS providers. Which protocol BEST matches this requirement?

An internal audit team wants to validate that critical security controls are both properly designed and operating effectively over time. Which approach BEST meets this objective?

A SOC detects repeated authentication failures followed by a successful login from an unusual location for a privileged account. The organization wants to reduce the chance of account compromise while preserving business operations. What is the BEST immediate response?

A development team is building a microservices-based application and wants to prevent injection attacks across multiple services while minimizing duplicated validation logic. Which is the BEST approach?

A multinational organization is designing a security architecture for a new manufacturing environment using industrial control systems (ICS). Availability and safety are primary objectives, and patch windows are rare. Which design choice BEST balances risk reduction with operational constraints?

A cloud-hosted application uses short-lived access tokens for API calls. A recent incident showed tokens were replayed from a different client after being intercepted in a misconfigured logging pipeline. Which control would MOST effectively reduce the impact of stolen tokens without significantly increasing user friction?

An organization plans to grant a vendor temporary access to an internal ticketing system for 2 weeks. The vendor should only see tickets assigned to their company and must not retain access afterward. Which access approach BEST meets least privilege and lifecycle requirements?

A security team needs to verify that backups can be used to restore operations after ransomware, not just that backup jobs completed successfully. Which activity MOST directly validates this objective?

A company is classifying information assets and needs a method to ensure documents are handled according to their classification throughout their lifecycle. Which control BEST supports this goal?

A multinational organization wants to reduce the risk that administrators could access sensitive payroll data in the database. The DBAs must still manage performance, indexes, and backups. Which solution BEST addresses this requirement?

A company is migrating workloads to a public cloud and wants to prevent accidental exposure of customer data due to overly permissive object storage settings. Which control is MOST effective to implement first?

A security analyst observes intermittent TLS handshake failures between a branch office and a payment gateway. Packet captures show the client offers only weak cipher suites and an outdated protocol version. Which remediation BEST aligns with secure communications practices?

During an internal audit, a team finds that developers can deploy code directly to production without peer review, and emergency changes are common. Which control MOST directly mitigates the risk of unauthorized or untested changes?

A risk manager must decide whether to accept the risk of a legacy system that cannot be patched but is needed for a critical business process. A compensating control is proposed, and leadership wants a clear, defensible decision. What is the BEST next step?

A company is implementing a new biometric authentication system for a high-security facility. The security architect is concerned about the long-term impact of biometric compromise. Which design choice BEST addresses this concern?

A security team wants to measure how well its detection capability identifies lateral movement in an enterprise network. The team needs high confidence in results while minimizing disruption to production systems. Which approach BEST meets this goal?

A new security analyst is classifying data for the first time. Which label most directly determines the minimum set of security controls required to protect the data throughout its lifecycle?

During an incident response, a responder needs to preserve evidence from a compromised endpoint. Which action is MOST important to ensure the evidence will be admissible and defensible?

A company is adopting a passwordless authentication approach for remote workers. Which of the following BEST describes the security benefit of using FIDO2/WebAuthn authenticators?

A financial institution wants to reduce the risk that a compromised internal server can laterally move to other systems. Which design choice MOST directly supports this objective?

An organization is selecting a cryptographic approach for protecting data at rest on employee laptops. The goal is to ensure that if the device is stolen, the attacker cannot access the data, even if they remove the drive. Which solution BEST meets this requirement?

A security team is testing access controls on a critical application. They want evidence that specific business requirements (e.g., 'Only managers can approve refunds over $5,000') are enforced correctly. Which assessment approach is MOST appropriate?

A development team is moving to microservices and wants to prevent unauthorized service-to-service calls. Which control BEST provides strong workload identity and policy-based authorization between services?

An attacker gained access to a Windows host and is suspected of using credential dumping to move laterally. The organization wants to reduce the effectiveness of pass-the-hash and similar techniques. Which control provides the BEST mitigation?

A company must outsource processing of regulated data to a cloud provider. The company wants to ensure the provider cannot decrypt the data, while still allowing the application to search and process it. Which approach BEST aligns with this goal under realistic constraints?

A CI/CD pipeline automatically builds and deploys containers. A recent incident involved a compromised build agent injecting malicious code into multiple releases. Which control MOST effectively reduces the risk of deploying tampered artifacts?

A security team is defining how long to retain audit logs for a regulated business process. Multiple stakeholders want to keep logs indefinitely "just in case." What is the BEST initial step for the security professional?

A company uses a cloud object store to host sensitive reports shared internally. A review finds that the object store allows users to download files even after their access should be revoked. Which control BEST addresses this issue at the data layer?

An organization is deploying a new wireless network for employees and must prevent rogue access points and unauthorized clients from joining. Which solution BEST meets this requirement?

A penetration test report notes that the web application is vulnerable to reflected XSS. Which change is the MOST effective primary remediation at the application layer?

A security architect is designing a highly available system that must tolerate the failure of a single component without service interruption. Which design principle BEST supports this requirement?

An enterprise wants to reduce password resets and improve security for remote access. Users authenticate to a centralized identity provider and then access multiple SaaS applications without re-entering credentials. Which capability is being implemented?

A SOC is overwhelmed by false positives from an intrusion detection system. The CISO wants to measure whether recent tuning efforts are actually improving alert quality. Which metric is MOST appropriate?

During incident response, a responder needs to acquire a workstation image that will be admissible and defensible. Which action BEST supports evidence integrity?

A company uses a third-party payroll processor. The CISO wants assurance that the vendor’s security controls related to confidentiality and availability are designed appropriately and operating effectively over time. Which report is MOST suitable?

An organization is adopting a zero trust architecture. Users frequently access internal web applications from unmanaged devices. The security architect must minimize data exposure while still enabling access. Which approach BEST aligns with zero trust principles?

An organization is revising its incident response plan. Management wants a single document that clearly defines who has the authority to declare an incident, approve public statements, and authorize system shutdowns. Which document best satisfies this requirement?

A security team is classifying data and needs to ensure that all copies of highly sensitive files remain protected even when emailed externally or saved to unmanaged devices. Which control most directly addresses this requirement?

A company wants to reduce the risk of credential replay from intercepted network traffic. Which protocol feature most directly mitigates replay attacks during authentication?

A healthcare provider is deploying a new analytics platform. The business requires that patient identifiers be reversible under strict controls for lawful re-identification, but analysts should normally work with de-identified values. Which approach best meets this requirement?

A SOC notices repeated successful logins to a cloud admin console from geographically impossible locations within minutes. The accounts use strong passwords and MFA via SMS. Which change most directly reduces the likelihood of this specific compromise scenario?

During a vendor security review, a supplier claims they "have a SOC report." You need assurance about the design and operating effectiveness of controls relevant to security, availability, and confidentiality over a period of time. Which report should you request?

A company is implementing microservices and wants to prevent a compromised service from directly calling high-privilege internal APIs. They need an architecture control that enforces service-to-service identity, mutual authentication, and fine-grained authorization policies. What is the best solution?

A development team adopted infrastructure as code (IaC) and containers. Security wants to detect vulnerable base images and misconfigurations before deployment while minimizing impact to release speed. Which approach best supports this goal?

An organization is considering whether to use a single cloud KMS key for all application data or separate keys by data classification and business unit. They want to reduce the impact of key compromise while maintaining manageable operations. Which key management strategy is MOST appropriate?

A red team demonstrates that after compromising a low-privilege workstation, they can request Kerberos service tickets for a service account and crack the password offline due to weak service account credentials. Which control would MOST directly reduce the risk of this attack succeeding in the future?