1 | Page
BCS CISMP Questions and Correct Answers
Which of the following doesn't apply to risk?
a) Risk is the effect of uncertainty on objectives
b) When assessing risk you should take into account the
consequence and likelihood of security incidents
c) Risk is the possibility that a threat actor will exploit a
vulnerability to create a security incident
d) In order to assess risk you will need an understanding of your
organisation's assets and its vulnerabilities, as well as the threats,
both internal and external, that it faces Ans: C
Which of the following is true?
a) An unpatched web server is a threat
b) An unencrypted corporate wireless LAN is a threat
c) Both of the above
d) None of the above Ans: D
© 2025 All rights reserved
, 2 | Page
Which of the following is not a vulnerability?
a) A misconfigured firewall
b) A script kiddie
c) Both of the above
d) None of the above Ans: B
ISMS stands for...
a) Integrated Security Management System
b) Information System Managed Security
c) Information Security Management System
d) Integrated System for Managed Security Ans: C
When accessing an IT system, the order of events is...
a) Authentication, Identification, Authorisation
© 2025 All rights reserved
, 3 | Page
b) Identification, Authorisation, Authentication
c) Authorisation, Identification, Authentication
d) None of the above Ans: D
According to NIST definitions, which of the following is not an
essential characteristic of cloud computing?
a) Access through value-added networks using proprietary
protocols
b) Rapid elasticity
c) Location-independent resource pooling
d) On-demand self-service Ans: A
A web service available to the public has been compromised. The
hackers were able to copy passwords and modify them. Which
information security principles will have been violated by the
breach?
a) Confidentiality and integrity only
© 2025 All rights reserved
, 4 | Page
b) Integrity and availability only
c) Availability and confidentiality only
d) Confidentiality, integrity and availability Ans: D
When considering the deployment of a new information system,
which of the following is correct?
a) The system should be accredited before being certified
b) Certification is a formal assessment of the information system
against information assurance requirements, resulting in the
acceptance of residual risk in the context of business requirements
and formal approval by management
c) Accreditation is a comprehensive assessment of the system's
security controls to determine whether they meet the security
requirements of the system
d) The system should be certified before being accredited Ans: D
When valuing an asset, what should you take into consideration?
Select the best answer.
© 2025 All rights reserved
BCS CISMP Questions and Correct Answers
Which of the following doesn't apply to risk?
a) Risk is the effect of uncertainty on objectives
b) When assessing risk you should take into account the
consequence and likelihood of security incidents
c) Risk is the possibility that a threat actor will exploit a
vulnerability to create a security incident
d) In order to assess risk you will need an understanding of your
organisation's assets and its vulnerabilities, as well as the threats,
both internal and external, that it faces Ans: C
Which of the following is true?
a) An unpatched web server is a threat
b) An unencrypted corporate wireless LAN is a threat
c) Both of the above
d) None of the above Ans: D
© 2025 All rights reserved
, 2 | Page
Which of the following is not a vulnerability?
a) A misconfigured firewall
b) A script kiddie
c) Both of the above
d) None of the above Ans: B
ISMS stands for...
a) Integrated Security Management System
b) Information System Managed Security
c) Information Security Management System
d) Integrated System for Managed Security Ans: C
When accessing an IT system, the order of events is...
a) Authentication, Identification, Authorisation
© 2025 All rights reserved
, 3 | Page
b) Identification, Authorisation, Authentication
c) Authorisation, Identification, Authentication
d) None of the above Ans: D
According to NIST definitions, which of the following is not an
essential characteristic of cloud computing?
a) Access through value-added networks using proprietary
protocols
b) Rapid elasticity
c) Location-independent resource pooling
d) On-demand self-service Ans: A
A web service available to the public has been compromised. The
hackers were able to copy passwords and modify them. Which
information security principles will have been violated by the
breach?
a) Confidentiality and integrity only
© 2025 All rights reserved
, 4 | Page
b) Integrity and availability only
c) Availability and confidentiality only
d) Confidentiality, integrity and availability Ans: D
When considering the deployment of a new information system,
which of the following is correct?
a) The system should be accredited before being certified
b) Certification is a formal assessment of the information system
against information assurance requirements, resulting in the
acceptance of residual risk in the context of business requirements
and formal approval by management
c) Accreditation is a comprehensive assessment of the system's
security controls to determine whether they meet the security
requirements of the system
d) The system should be certified before being accredited Ans: D
When valuing an asset, what should you take into consideration?
Select the best answer.
© 2025 All rights reserved
