CompTIA Security+ SY0-701 ACTUAL
PRACTICE EXAM 2026/2027 | Verified
Questions and Answers | Aligned to Official
Objectives | Grade A Target | Pass Guaranteed
Section 1: General Security Concepts (Questions 1-12)
Q1: A security analyst is classifying security controls for a new data center implementation. The
analyst identifies biometric scanners at entry points, job rotation policies for administrators, and
encryption for data at rest. Which categories do these controls represent?
A. Physical, Managerial, Technical
B. Technical, Operational, Managerial
C. Physical, Operational, Technical [CORRECT]
D. Managerial, Physical, Technical
Correct Answer: C
Rationale: Biometric scanners are physical controls (protect facility access), job rotation is an
operational control (administrative procedure performed by people), and encryption is a
technical control (logical/technology-based). Managerial controls involve governance and risk
management frameworks, not operational procedures like job rotation. Option A incorrectly
categorizes job rotation as managerial. Option B misclassifies biometrics as technical (they're
physical) and job rotation as operational (correct) but placed wrong. Option D incorrectly labels
job rotation as physical.
Q2: A healthcare organization must ensure that patient diagnosis records remain unchanged after
creation to support medical research integrity. Which component of the CIA triad does this
requirement primarily address?
A. Confidentiality
B. Integrity [CORRECT]
C. Availability
D. Non-repudiation
,2
Correct Answer: B
Rationale: Integrity ensures data is not altered or tampered with in an unauthorized manner.
Immutable medical records prevent modification, ensuring research data reliability.
Confidentiality (A) focuses on unauthorized access prevention, not modification. Availability (C)
ensures systems/data are accessible when needed. Non-repudiation (D), while important for
accountability, is not part of the CIA triad and doesn't address data immutability.
Q3: An administrator needs to implement a control that prevents the CEO from unilaterally
approving wire transfers over $500,000. Which security control principle is being enforced?
A. Least privilege
B. Separation of duties [CORRECT]
C. Defense in depth
D. Need to know
Correct Answer: B
Rationale: Separation of duties prevents single individuals from controlling all aspects of
critical transactions, reducing fraud risk. Requiring multiple approvals for large transfers ensures
collusion is needed for misuse. Least privilege (A) limits access rights to minimum necessary,
not transaction approval workflows. Defense in depth (C) involves layered security controls.
Need to know (D) restricts data access based on role requirements, not financial controls.
Q4: [PBQ - Multi-Step] A security team is conducting a risk assessment for a cloud migration.
Drag and drop the appropriate risk response strategies to the scenarios described:
Scenarios:
1. Low-impact legacy system with high remediation cost
2. Critical payment processing system with known zero-day vulnerability
3. Acceptable risk level that doesn't exceed risk appetite
4. Transferring cyber insurance policy to cover breach costs
Response Strategies:
A. Avoid
B. Mitigate
C. Transfer
D. Accept
Correct Configuration:
,3
• 1 → D (Accept) [CORRECT]
• 2 → A (Avoid) [CORRECT]
• 3 → D (Accept) [CORRECT]
• 4 → C (Transfer) [CORRECT]
Rationale: Scenario 1: Accept the risk when remediation cost exceeds asset value and impact is
low. Scenario 2: Avoid the risk by discontinuing use of vulnerable critical systems (zero-day in
payment processing is unacceptable). Scenario 3: Accept when residual risk is within appetite.
Scenario 4: Transfer risk to third party via insurance. Mitigate (B) involves implementing
controls to reduce risk likelihood/impact, not applicable to these specific scenarios as described.
Q5: A security analyst is reviewing the change management process. A developer requests an
emergency change to patch a critical vulnerability in the public-facing web application. Which
sequence must be followed even for emergency changes?
A. Request → Approve → Test → Deploy → Document
B. Request → Approve → Deploy → Test → Document
C. Request → Approve → Deploy → Document → Review [CORRECT]
D. Request → Deploy → Approve → Document → Review
Correct Answer: C
Rationale: Emergency changes follow abbreviated but mandatory steps: Request, Approval,
Deployment, Documentation, Post-implementation Review. Testing (A, B) is ideal but may be
abbreviated in true emergencies with acceptance of risk; however, documentation and review
remain mandatory. Deploying before approval (D) violates governance. The post-implementation
review ensures the emergency change didn't introduce new issues and validates the emergency
justification.
Q6: An organization is implementing a governance framework to align security with business
objectives. The CISO needs to establish metrics that demonstrate security program effectiveness
to the board. Which document best serves this purpose?
A. Business Impact Analysis (BIA)
B. Balanced Scorecard [CORRECT]
C. Disaster Recovery Plan (DRP)
D. Incident Response Plan (IRP)
Correct Answer: B
, 4
Rationale: A Balanced Scorecard translates security strategy into performance metrics across
financial, customer, process, and learning perspectives—ideal for board-level communication. A
BIA (A) identifies critical assets and impacts, not ongoing metrics. DRP (C) and IRP (D) are
operational documents, not strategic governance tools for measuring program effectiveness.
Q7: A security analyst needs to select a control framework for a multinational financial
institution. The framework must provide detailed implementation guidance for banking
regulations across multiple jurisdictions. Which is the most appropriate choice?
A. ISO 27001
B. NIST Cybersecurity Framework
C. COBIT [CORRECT]
D. CIS Controls
Correct Answer: C
Rationale: COBIT (Control Objectives for Information and Related Technologies) is designed
for enterprise governance and management of IT, with strong emphasis on regulatory compliance
and business alignment—ideal for multinational financial institutions. ISO 27001 (A) provides
certifiable ISMS standards but less regulatory specificity. NIST CSF (B) is outcome-based and
voluntary. CIS Controls (D) are prioritized technical safeguards, lacking governance depth for
complex regulatory environments.
Q8: An administrator is classifying data handling requirements. Medical records requiring
HIPAA compliance, proprietary algorithm source code, and publicly available marketing
brochures need appropriate labels. Which classification scheme applies?
A. Public, Internal, Confidential, Secret
B. Restricted, Confidential, Internal, Public
C. Critical, High, Medium, Low
D. All of the above depending on organizational policy [CORRECT]
Correct Answer: D
Rationale: Data classification is organization-specific. Healthcare may use HIPAA categories
(Restricted/Confidential), government uses Confidential/Secret/Top Secret, and others use
Criticality levels. No universal standard exists; the scheme must align with legal requirements,
industry standards, and business needs. Options A, B, and C are all valid schemes used by
different organizations.