CISMP V9 EXAMPLE QUESTIONS CORRECT ANSWERS 2025
AAA Triad in Information Security - CORRECT ANSWER✅✅✅Authentication, Accounting,
Authorisation
Accountability - CORRECT ANSWER✅✅✅Acknowledgement and acceptance of ownership of actions,
decisions, policies and deliverables
Defence in depth - CORRECT ANSWER✅✅✅Provides redundancy in the event a security control
failure or vulnerability
In security governance, which publication is at the highest level? - CORRECT ANSWER✅✅✅Policy
What is considered the greatest risk to information systems that results from deploying end-to-end
Internet of Things (IoT) solutions? - CORRECT ANSWER✅✅✅Much larger attack surface than
traditional IT systems
How is risk calculated - CORRECT ANSWER✅✅✅Risk = likelihood * impact
Key purpose of appending security classification labels to information? - CORRECT ANSWER✅✅✅To
provide guidance and instruction on implementing appropriate security controls to protect the
information
What statutory requirement is relevant no matter which sector or geographical location someone is in? -
CORRECT ANSWER✅✅✅GDPR
To better improve security culture within an org. with top down approach, what action is most
effective? - CORRECT ANSWER✅✅✅Adopting "clear desk" policy
What form of risk assessment most likely to provide objective support for a security return on a
investment case? - CORRECT ANSWER✅✅✅Quantitative
, What is covered by ISO/IEC 27000 series? - CORRECT ANSWER✅✅✅Forensic recovery of data, Data
deduplication, data protection and privacy
What is not a form of computer misuse? - CORRECT ANSWER✅✅✅Illegal retention of personal data
Which membership based organisation produces international standards, which cover good practice for
information assurance? - CORRECT ANSWER✅✅✅BSI
Which standards framework offers a set of IT Service Management best practices to assist organisations
in aligning IT service delivery with business goals - including security goals? - CORRECT
ANSWER✅✅✅ITIL
Which security framework impacts on organisations that accept credit cards, process credit card
transactions, store relevant data or transmit credit card data? - CORRECT ANSWER✅✅✅PCI DSS
Which of the following international standards deals with the retention of records? - CORRECT
ANSWER✅✅✅IS015489
Once data has been created In a standard information lifecycle, what step TYPICALLY happens next? -
CORRECT ANSWER✅✅✅Data Storage
Which of the following is a framework and methodology for Enterprise Security Architecture and Service
Management? - CORRECT ANSWER✅✅✅SABSA
Acronym that covers the real-time analysis of security alerts generated by applications and network
hardware? - CORRECT ANSWER✅✅✅SIEM
James is working with a software programme that completely obfuscates the entire source code, often
in the form of a binary executable making it difficult to inspect, manipulate or reverse engineer the
original source code. What type of software programme is this? - CORRECT
ANSWER✅✅✅Interpreted Source
AAA Triad in Information Security - CORRECT ANSWER✅✅✅Authentication, Accounting,
Authorisation
Accountability - CORRECT ANSWER✅✅✅Acknowledgement and acceptance of ownership of actions,
decisions, policies and deliverables
Defence in depth - CORRECT ANSWER✅✅✅Provides redundancy in the event a security control
failure or vulnerability
In security governance, which publication is at the highest level? - CORRECT ANSWER✅✅✅Policy
What is considered the greatest risk to information systems that results from deploying end-to-end
Internet of Things (IoT) solutions? - CORRECT ANSWER✅✅✅Much larger attack surface than
traditional IT systems
How is risk calculated - CORRECT ANSWER✅✅✅Risk = likelihood * impact
Key purpose of appending security classification labels to information? - CORRECT ANSWER✅✅✅To
provide guidance and instruction on implementing appropriate security controls to protect the
information
What statutory requirement is relevant no matter which sector or geographical location someone is in? -
CORRECT ANSWER✅✅✅GDPR
To better improve security culture within an org. with top down approach, what action is most
effective? - CORRECT ANSWER✅✅✅Adopting "clear desk" policy
What form of risk assessment most likely to provide objective support for a security return on a
investment case? - CORRECT ANSWER✅✅✅Quantitative
, What is covered by ISO/IEC 27000 series? - CORRECT ANSWER✅✅✅Forensic recovery of data, Data
deduplication, data protection and privacy
What is not a form of computer misuse? - CORRECT ANSWER✅✅✅Illegal retention of personal data
Which membership based organisation produces international standards, which cover good practice for
information assurance? - CORRECT ANSWER✅✅✅BSI
Which standards framework offers a set of IT Service Management best practices to assist organisations
in aligning IT service delivery with business goals - including security goals? - CORRECT
ANSWER✅✅✅ITIL
Which security framework impacts on organisations that accept credit cards, process credit card
transactions, store relevant data or transmit credit card data? - CORRECT ANSWER✅✅✅PCI DSS
Which of the following international standards deals with the retention of records? - CORRECT
ANSWER✅✅✅IS015489
Once data has been created In a standard information lifecycle, what step TYPICALLY happens next? -
CORRECT ANSWER✅✅✅Data Storage
Which of the following is a framework and methodology for Enterprise Security Architecture and Service
Management? - CORRECT ANSWER✅✅✅SABSA
Acronym that covers the real-time analysis of security alerts generated by applications and network
hardware? - CORRECT ANSWER✅✅✅SIEM
James is working with a software programme that completely obfuscates the entire source code, often
in the form of a binary executable making it difficult to inspect, manipulate or reverse engineer the
original source code. What type of software programme is this? - CORRECT
ANSWER✅✅✅Interpreted Source
