Browse ISC2 Certification Guides

ISC2 CISSP Sample Questions with Explanations

April 25, 2026

ISC2 CISSP sample questions with explanations, traps, topic labels, and IT Mastery route links.

On this page

These original sample questions are designed to help you check how the exam topics appear in decision-style prompts. They are not taken from the live exam.

Use these sample questions as a guided self-assessment for Certified Information Systems Security Professional (CISSP) topics such as governance, asset security, architecture, network security, IAM, assessment, operations, continuity, and software security. CISSP questions usually reward risk ownership and lifecycle thinking before technical fixes.

Where these questions fit in the CISSP guide

The sample set below is part of the ISC2 CISSP guide path:

CISSP risk-based sample questions

Work through each prompt before opening the explanation. For CISSP, ask whether the stem is about governance, ownership, architecture, operations, evidence, or software lifecycle before choosing the control.

Question 1

Topic: Prioritizing continuity planning

A company wants to improve disaster recovery for several business services. Budgets are limited, and leadership asks which services should receive the strongest recovery targets first. What should be completed before setting detailed technical recovery designs?

  • A. A business impact analysis that identifies critical processes, impacts, dependencies, and recovery priorities.
  • B. A purchase order for the largest backup appliance available.
  • C. A firewall rule review for every internal subnet.
  • D. A password reset for all employees.

Best answer: A

Explanation: A BIA connects recovery targets to business impact and service criticality. CISSP questions often test whether the candidate starts with business priorities before choosing technology.

Why the other choices are weaker:

  • B jumps to a solution before recovery priorities are known.
  • C may be useful in security operations, but it does not define continuity priorities.
  • D is unrelated to recovery target selection.

What this tests: Business impact analysis, continuity planning, recovery prioritization, and governance-before-technology judgment.

Related topics: BIA; Continuity; Risk management; Recovery planning

Question 2

Topic: Selecting an access-control model

A defense contractor handles highly sensitive project files. Access decisions must be centrally controlled by classification labels and user clearances, and users must not be able to change permissions at their own discretion. Which access-control model best fits?

  • A. Discretionary access control, because file owners should choose who can read each file.
  • B. Role-based access control only, because job title always captures classification and clearance.
  • C. Mandatory access control, because access is centrally enforced using labels and clearances.
  • D. Ruleless access control, because sensitive systems should avoid policy complexity.

Best answer: C

Explanation: Mandatory access control fits centrally enforced decisions based on sensitivity labels and subject clearance. The clue is that users cannot freely delegate or alter permissions.

Why the other choices are weaker:

  • A allows owners too much discretion for the stated requirement.
  • B may help organize access, but the classification-and-clearance requirement points more directly to MAC.
  • D is not a valid security model.

What this tests: Access-control models, sensitivity labels, clearances, and central policy enforcement.

Related topics: MAC; Access control; Classification; IAM

Question 3

Topic: Approving residual risk

A security team documents a moderate residual risk after implementing agreed controls. The business wants to proceed because further treatment would delay a critical launch. Who should formally accept the residual risk?

  • A. The help desk analyst who opened the original ticket.
  • B. The penetration tester who found the weakness.
  • C. The business or system owner with authority and accountability for the risk.
  • D. Any developer who can deploy the release.

Best answer: C

Explanation: Risk acceptance belongs to accountable management or the business/system owner, not the security team alone. CISSP emphasizes ownership and authority for risk decisions.

Why the other choices are weaker:

  • A does not have ownership authority.
  • B may provide evidence, but the tester does not own the business risk.
  • D has deployment capability, not risk-acceptance authority.

What this tests: Risk ownership, residual risk, accountability, and governance authority.

Related topics: Residual risk; Risk acceptance; Governance; Ownership

Question 4

Topic: Improving software security earlier

An application team finds critical authorization flaws during final testing, causing repeated release delays. Leadership wants to reduce rework without lowering assurance. Which approach is strongest?

  • A. Move security requirements, threat modeling, code review, and automated testing earlier in the SDLC.
  • B. Stop testing authorization logic so releases move faster.
  • C. Wait until production users report access issues.
  • D. Give every user the same role to simplify permission checks.

Best answer: A

Explanation: Building security into the lifecycle reduces late discovery and rework. CISSP software-security scenarios reward early requirements, design review, threat modeling, secure coding, testing, and release gates.

Why the other choices are weaker:

  • B hides defects instead of controlling them.
  • C makes customers the detection control.
  • D violates least privilege and breaks authorization design.

What this tests: Secure SDLC, shift-left controls, threat modeling, and software assurance.

Related topics: Secure SDLC; Threat modeling; Authorization; Software security

Independent study note

Tech Exam Lexicon and IT Mastery are independent study tools. They are not affiliated with, endorsed by, or sponsored by ISC2 or any certification body.

Revised on Sunday, May 10, 2026
Cheat Sheet
FAQ